You perform the procedure on all ESXi hosts in all your workload domains to configure firewall settings, password policy, inactivity timeouts, failed login attempts, join ESXi hosts to Active Directory domain, and remove ESX Admin group membership. Also, stop the ESXi shell service, configure login banners for the Direct Console User Interface (DCUI) and SSH connections, deactivate warnings, activate the Bridge Protocol Data Unit (BPDU) filter, configure persistent log location, remote logging, and activate bidirectional CHAP authentication by using PowerCLI commands.
To perform the procedure on the ESXi hosts for a workload domain, you connect to the vCenter Server for the respective workload domain. To run a task on all hosts for the domain, when you run commands, on the prompts to specify the object of a command, enter [A] Yes to all.
Procedure
- Log in to the vCenter Server for the workload domain you want to reconfigure by using a PowerCLI console.
Setting
Value
Command
Connect-VIServer -Server management-domain-vcenter-server-fqdn -Protocol https
User name
VMW-ESXI-00022
Configure the password complexity policy for the ESXi host.The requirement is a length of minimum 15 characters from 4 character classes that include lowercase letters, uppercase letters, numbers, special characters. Password difference is also mandatory.
Get-VMHost | Get-AdvancedSetting -Name Security.PasswordQualityControl | Set-AdvancedSetting -Value "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15"
VMW-ESXI-00028
Configure the ESXi hosts firewall to only allow traffic from the authorized management networks.$esxiHosts = Get-VMHost foreach($esxiHost in $esxiHosts){ $esxcli = Get-EsxCli -v2 -VMHost $esxiHost.Name #This disables the allow all rule for the SSH service. $arguments = $esxcli.network.firewall.ruleset.set.CreateArgs() $arguments.rulesetid = "sshServer" $arguments.allowedall = $false $esxcli.network.firewall.ruleset.set.Invoke($arguments) #Next add the allowed IPs for the SSH service. $arguments = $esxcli.network.firewall.ruleset.allowedip.add.CreateArgs() $arguments.rulesetid = "sshServer" $arguments.ipaddress = "Site-specific networks" $esxcli.network.firewall.ruleset.allowedip.add.Invoke($arguments)}
VMW-ESXI-00030
Show warnings in the vSphere Client if local or remote shell sessions are activated on the ESXi hosts.Get-VMHost | Get-AdvancedSetting -Name UserVars.SuppressShellWarning | Set-AdvancedSetting -Value 0
VMW-ESXI-00034
Set the maximum number of failed login attempts before an account is locked to 3.Get-VMHost | Get-AdvancedSetting -Name Security.AccountLockFailures | Set-AdvancedSetting -Value 3
VMW-ESXI-00038
Configure the inactivity timeout to automatically close idle shell sessions to 600 seconds.Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellInteractiveTimeOut | Set-AdvancedSetting -Value 600
VMW-ESXI-00043
Activate the Bridge Protocol Data Unit (BPDU) filter.Get-VMHost | Get-AdvancedSetting -Name Net.BlockGuestBPDU | Set-AdvancedSetting -Value 1
VMW-ESXI-00109
Configure the password history setting to restrict the reuse of the last five passwords.Get-VMHost | Get-AdvancedSetting -Name Security.PasswordHistory | Set-AdvancedSetting -Value 5
VMW-ESXI-00112
Stop the ESXi shell service and set the startup policy.Get-VMHost | Get-VMHostService | Where {$_.Label -eq "ESXi Shell"} | Set-VMHostService -Policy Off Get-VMHost | Get-VMHostService | Where {$_.Label -eq "ESXi Shell"} | Stop-VMHostService
VMW-ESXI-00114
To eliminate the need to create and maintain multiple local user accounts, join ESXi hosts to an Active Directory (AD) domain.Get-VMHost | Get-VMHostAuthentication | Set-VMHostAuthentication -JoinDomain -Domain "domain name" -User "username" -Password "password"
Note:If any local user accounts exist, apart from root and local service accounts, you can delete the local user accounts by going to the ESXi host UI Manage > Security & Users > Users.
VMW-ESXI-00122
Configure the login banner for the DCUI of the ESXi host.Get-VMHost | Get-AdvancedSetting -Name Annotations.WelcomeMessage | Set-AdvancedSetting -Value "Site-Specific banner text"
VMW-ESXI-00123
Configure the login banner for the SSH connections.Get-VMHost | Get-AdvancedSetting -Name Config.Etc.issue | Set-AdvancedSetting -Value "Site-Specific banner text"
VMW-ESXI-00136
Configure a persistent log location for all locally stored logs.Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logDir | Set-AdvancedSetting -Value “New Log Location”
Note:Specify the log location as [datastorename] path_to_file, where the path is relative to the root of the volume, backing the datastore. For example, the path [storage1] /systemlogs maps to the path /vmfs/volumes/storage1/systemlogs.
VMW-ESXI-00137
For a host added to Active Directory, use an Active Directory group instead of the default ESX Admins group for the esxAdminsGroup property on the ESXi hosts.Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup | Set-AdvancedSetting -Value AD_Group
VMW-ESXI-00164
Configure a remote log server for the ESXi hosts.Note:Use the following format when adding the remote log server. You can enter multiple, comma-separated values.
udp://<IP/FQDN>:514
tcp://<IP/FQDN>:514
ssl://<IP/FQDN>:1514
Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost | Set-AdvancedSetting -Value "<syslog server hostname>"
VMW-ESXI-01102
Activate bidirectional CHAP authentication for iSCSI traffic.Get-VMHost | Get-VMHostHba | Where {$_.Type -eq "iscsi"} | Set-VMHostHba -ChapType Required -ChapName chap_name -ChapPassword password -MutualChapEnabled $true -MutualChapName mutual_chap_name -MutualChapPassword mutual_password
VMW-ESXI-01121
Activate strict x509 verification for SSL syslog endpoints.$esxiHosts = Get-VMHost foreach($esxiHost in $esxiHosts){ $esxcli = Get-EsxCli -v2 -VMHost $esxiHost.Name $arguments = $esxcli.system.syslog.config.set.CreateArgs() $arguments.x509strict = $true $esxcli.system.syslog.config.set.Invoke($arguments) $esxcli.system.syslog.reload.Invoke() }
VMW-ESXI-01122
Activate volatile key destruction on the host.Get-VMHost | Get-AdvancedSetting -Name Mem.MemEagerZero | Set-AdvancedSetting -Value "1"
VMW-ESXI-01123
Configure the host with an appropriate maximum password age.Get-VMHost | Get-AdvancedSetting -Name Security.PasswordMaxDays | Set-AdvancedSetting -Value "90"
VMW-ESXI-01124
Enable TPM-based configuration encryption.Ensure the TPM 2.0 chip is enabled in the BIOS and the ESX UI does not show any errors.
Configuration encryption uses the physical TPM at install or upgrade time. If the TPM is added or enabled later, you must reconfigure the ESXi host to use the newly available TPM. After you enable TPM configuration encryption is enabled, you cannot disable it.
$esxiHosts = Get-VMHost foreach($esxiHost in $esxiHosts){ $esxcli = Get-EsxCli -v2 -VMHost $esxiHost.Name $arguments = $esxcli.system.settings.encryption.set.CreateArgs() $arguments.mode="TPM" $esxcli.system.settings.encryption.set.Invoke($arguments) }
You must evacuate the host and gracefully reboot for changes to take effect.
VMW-ESXI-01125
The ESXi host must implement Secure Boot enforcement.$esxiHosts = Get-VMHost foreach($esxiHost in $esxiHosts){ $esxcli = Get-EsxCli -v2 -VMHost $esxiHost.Name $arguments = $esxcli.system.settings.encryption.set.CreateArgs() $arguments.requiresecureboot =$true $esxcli.system.settings.encryption.set.Invoke($arguments) }
VMW-ESXI-01126
Configure the startup policy for the CIM service on the host to "off".Get-VMHost | Get-VMHostService | Where {$_.Label -eq "CIM Server"} | Set-VMHostService -Policy Off
VMW-ESXI-01128
Deactivate the startup policy for the SNMP service on the host.Get-VMHost | Get-VMHostService | Where {$_.Label -eq "SNMP Server"} | Set-VMHostService -Policy Off