Securing Management Virtual Machines

You connect to the management domain vCenter Server and use a script to perform multiple configurations on the management virtual machines that belong to the management domain. vSphere Cluster Services (vCLS) nodes are not in scope of this procedure as they are service VMs.

After you run the script, you must shut down the guest OS and power on (cold boot) the VMs for the advanced settings to take effect. Do not reboot the VMs. Cold boot must be performed one VM at a time so that service are not interrupted. Cold boot of vCenter Server and SDDC Manager requires a maintenance window.

Perform cold boot in the following order:

NSX-T Edge nodes
NSX Manager nodes
vCenter Server
SDDC Manager


Configuration ID	Description
`VMW-VC-00070`	Deactivate copy operations.
`VMW-VC-00071`	Deactivate drag and drop operations.
`VMW-VC-00073`	Deactivate paste operations.
`VMW-VC-00076`	Deactivate Host Guest File System (HGFS) file transfers.
`VMW-VC-00099`	Limit informational messages from the VM to the VMX file.
`VMW-VC-00101`	Prevent unauthorized removal, connection and modification through the `isolation.device.connectable.disable` parameter.
`VMW-VC-00102`	Restrict sending host information to guests.
`VMW-VC-00561`	Audit all uses of PCI or PCIe pass-through functionalities.
`VMW-VC-01232`	Lock the virtual machine guest operating system when the last console connection is closed.
`VMW-VC-01233`	Deactivate 3D features on the virtual machine when not required.
`VMW-VC-01242`	Configure Log size on the virtual machine.

Procedure


Setting	Value
Command	Connect-VIServer -Server `management-domain-vcenter-server-fqdn` -Protocol https
User name	[email protected]

Configure advanced settings on all management virtual machines by running the script.

You must enter the names of the VMs that you reconfigure in the first line of the script. For example, $VMs = ("edge-node1", "nsx-manager1", "vcenter-server", "sddc-manager").

$VMs = (list-of-comma-seperated-management-domain-VM-names)
$AdvancedSettingsTrue = ("isolation.tools.copy.disable","isolation.tools.dnd.disable","isolation.tools.paste.disable","isolation.tools.hgfsServerSet.disable","isolation.device.connectable.disable","tools.guest.desktop.autolock")
$AdvancedSettingsFalse = ("tools.guestlib.enableHostInfo","pciPassthru*.present","mks.enable3d")
Foreach ($vm in $VMs){
	Foreach ($advancedSetting in $AdvancedSettingsTrue) { 		
		$setting = Get-VM $vm | Get-AdvancedSetting -Name $advancedSetting | Select-Object -Property Name, Value
 		if(!$setting.Name){
			Get-VM $vm | New-AdvancedSetting -Name $advancedSetting -Value true -Confirm:$false
		} 		
		elseif($setting.Value -ne $true){ 			
			Get-VM $vm | Get-AdvancedSetting -Name $advancedSetting | Set-AdvancedSetting -Value true -Confirm:$false 		
		}	 	
	} 	
	Foreach ($advancedSetting in $AdvancedSettingsFalse) { 		
		$setting = Get-VM $vm | Get-AdvancedSetting -Name $advancedSetting | Select-Object -Property Name, Value
 		if(!$setting.Name){
			Get-VM $vm | New-AdvancedSetting -Name $advancedSetting -Value false -Confirm:$false
		} 		
		elseif($setting.Value -ne $false){ 			
			Get-VM $vm | Get-AdvancedSetting -Name $advancedSetting | Set-AdvancedSetting -Value false -Confirm:$false 		
		} 	
	} 	 	
	$advancedSetting = "tools.setinfo.sizeLimit" 	
	$setting = Get-VM $vm | Get-AdvancedSetting -Name $advancedSetting | Select-Object -Property Name, Value 	
	if(!$setting.Name){ 		
		Get-VM $vm | New-AdvancedSetting -Name $advancedSetting -Value 1048576 -Confirm:$false 	
	} 	
	elseif($setting.Value -ne 1048576){ 		
		Get-VM $vm | Get-AdvancedSetting -Name $advancedSetting | Set-AdvancedSetting -Value 1048576 -Confirm:$false 	
	}
        $advancedSetting = "log.rotateSize" 	
	$setting = Get-VM $vm | Get-AdvancedSetting -Name $advancedSetting | Select-Object -Property Name, Value 	
	if(!$setting.Name){ 		
		Get-VM $vm | New-AdvancedSetting -Name $advancedSetting -Value 2048000 -Confirm:$false 	
	} 	
	elseif($setting.Value -ne 2048000){ 		
		Get-VM $vm | Get-AdvancedSetting -Name $advancedSetting | Set-AdvancedSetting -Value 2048000 -Confirm:$false 	
	}	 
}