You perform the procedure on all ESXi hosts in the management domain to configure firewall settings, password policy, inactivity timeouts, failed login attempts, join ESXi hosts to Active Directory domain, and remove ESX Admin group membership. Also, stop the ESXi shell service, configure login banners for the Direct Console User Interface (DCUI) and SSH Connections, disable warnings, enable Bridge Protocol Data Unit (BPDU) filter, configure persistent log location, remote logging, VLAN setting, enable bidirectional CHAP authentication, and advanced setting using PowerCLI commands.

To perform the procedure, you connect to the management domain vCenter Server to perform the procedure on the ESXi hosts for the management domain. When you run commands, on the prompts to specify the object of a command, enter [A] Yes to All to run a task on all hosts for the domain.

Procedure

  1. Log in to the management domain vCenter Server by using a PowerCLI console.​

    Setting

    Value

    Command

    Connect-VIServer -Server management-domain-vcenter-server-fqdn​​ -Protocol https

    User name​

    administrator@vsphere.local​

  2. NIST80053-VI-ESXI-CFG-00028 Configure the ESXi hosts firewall to only allow traffic from the ESXi management network.
    $esxiHosts = Get-VMHost
    foreach($esxiHost in $esxiHosts){
    $esxcli = Get-EsxCli -VMHost $esxiHost.Name
    #This disables the allow all rule for the target service.
    $arguments = $esxcli.network.firewall.ruleset.set.CreateArgs()
    $arguments.rulesetid = "sshServer"
    $arguments.allowedall = $false
    $esxcli.network.firewall.ruleset.set.Invoke($arguments)
    
    #Next add the allowed IPs for the service.
    $arguments = $esxcli.network.firewall.ruleset.allowedip.add.CreateArgs() 
    $arguments.rulesetid = "sshServer"
    $arguments.ipaddress = "Site-specific networks"
    $esxcli.network.firewall.ruleset.allowedip.add.Invoke($arguments)
  3. NIST80053-VI-ESXI-CFG-00030 Show warnings in the vSphere Client if local or remote shell sessions are enabled on the ESXi hosts.

    Get-VMHost | Get-AdvancedSetting -Name UserVars.SuppressShellWarning | Set-AdvancedSetting -Value 0

  4. NIST80053-VI-ESXI-CFG-00034 Set the maximum number of failed login attempts before an account is locked to 3.

    Get-VMHost | Get-AdvancedSetting -Name Security.AccountLockFailures | Set-AdvancedSetting -Value 3

  5. NIST80053-VI-ESXI-CFG-00038 Configure the inactivity timeout to automatically terminate idle shell sessions to 600 seconds.

    Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellInteractiveTimeOut | Set-AdvancedSetting -Value 600

  6. NIST80053-VI-ESXI-CFG-00043 Run the command to enable the Bridge Protocol Data Unit (BPDU) filter.

    Get-VMHost | Get-AdvancedSetting -Name Net.BlockGuestBPDU | Set-AdvancedSetting -Value 1

  7. NIST80053-VI-ESXI-CFG-00109 Configure the password history setting to restrict the reuse of the last five passwords.

    Get-VMHost | Get-AdvancedSetting -Name Security.PasswordHistory | Set-AdvancedSetting -Value 5

  8. NIST800-53-VI-ESXI-CFG-00112 Stop the ESXi shell service and set the startup policy.
    Get-VMHost | Get-VMHostService | Where {$_.Label -eq "ESXi Shell"} | Set-VMHostService -Policy Off
    Get-VMHost | Get-VMHostService | Where {$_.Label -eq "ESXi Shell"} | Stop-VMHostService
  9. NIST80053-VI-ESXi-CFG-00114 Join ESXi hosts to an Active Directory (AD) domain to eliminate the need to create and maintain multiple local user accounts.
    Get-VMHost | Get-VMHostAuthentication | Set-VMHostAuthentication -JoinDomain -Domain "domain name" -User "username" -Password "password"
  10. NIST80053-VI-ESXI-CFG-00122 Configure the login banner for the DCUI of the ESXi host.
    Get-VMHost | Get-AdvancedSetting -Name Annotations.WelcomeMessage | Set-AdvancedSetting -Value "This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials."
  11. NIST80053-VI-ESXI-CFG-00123 Configure the login banner for the SSH connections.
    Get-VMHost | Get-AdvancedSetting -Name Config.Etc.issue | Set-AdvancedSetting -Value "This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials."
  12. NIST800-53-VI-ESXI-CFG-00136 Configure a persistent log location for all locally stored logs.
    Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logDir | Set- AdvancedSetting -Value “New Log Location”
    Note:

    Specify the log location as[datastorename] path_to_file, where the path is relative to the root of the volume backing the datastore. For example, the path [storage1] /systemlogsmaps to the path /vmfs/volumes/storage1/systemlogs.

  13. NIST80053-VI-ESXi-CFG-00137 For a host added to Active Directory, use an Active Directory group instead of the default ESX Admins group for the esxAdminsGroup property on the ESXi hosts.
    Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup | Set-AdvancedSetting -Value AD_Group
  14. NIST80053-VI-ESXi-CFG-00164, NIST800-53-Storage-SDS-CFG-00566 Configure a remote log server for the ESXi hosts.

    Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost | Set-AdvancedSetting -Value "<syslog server hostname>"

  15. NIST80053-VI-ESXi-CFG-00168 Set a timeout to automatically terminate idle DCUI sessions after 600 seconds.

    Get-VMHost | Get-AdvancedSetting -Name UserVars.DcuiTimeOut | Set-AdvancedSetting -Value 600

  16. NIST80053-VI-ESXi-CFG-01102 Enable bidirectional CHAP authentication for iSCSI traffic.

    Get-VMHost | Get-VMHostHba | Where {$_.Type -eq "iscsi"} | Set-VMHostHba -ChapType Required -ChapName chap_name -ChapPassword password -MutualChapEnabled $true -MutualChapName mutual_chap_name -MutualChapPassword mutual_password

  17. NIST80053-VI-ESXi-CFG-01109 Configure the ESXi hosts to only run executable files from approved VIBs.

    Get-VMHost | Get-AdvancedSetting -Name VMkernel.Boot.execInstalledOnly | Set-AdvancedSetting -Value "true"