You perform the procedure on all ESXi hosts in all your workload domains to configure firewall settings, password policy, inactivity timeouts, failed login attempts, join ESXi hosts to Active Directory domain, and remove ESX Admin group membership. Also, stop the ESXi shell service, configure login banners for the Direct Console User Interface (DCUI) and SSH connections, deactivate warnings, activate the Bridge Protocol Data Unit (BPDU) filter, configure persistent log location, remote logging, and activate bidirectional CHAP authentication by using PowerCLI commands.

To perform the procedure on the ESXi hosts for a workload domain, you connect to the vCenter Server for the respective workload domain. To run a task on all hosts for the domain, when you run commands, on the prompts to specify the object of a command, enter [A] Yes to all.

Procedure

  1. Log in to the vCenter Server for the workload domain you want to reconfigure by using a PowerCLI console.​

    Setting

    Value

    Command

    Connect-VIServer -Server management-domain-vcenter-server-fqdn​​ -Protocol https

    User name​

    [email protected]

  2. VMW-ESXI-00022 Configure the password complexity policy for the ESXi host.

    The requirement is a length of minimum 15 characters from 4 character classes that include lowercase letters, uppercase letters, numbers, special characters. Password difference is also mandatory.

    Get-VMHost | Get-AdvancedSetting -Name Security.PasswordQualityControl | Set-AdvancedSetting -Value "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15"
  3. VMW-ESXI-00028 Configure the ESXi hosts firewall to only allow traffic from the authorized management networks.
    $esxiHosts = Get-VMHost
    foreach($esxiHost in $esxiHosts){
    $esxcli = Get-EsxCli -v2 -VMHost $esxiHost.Name
    #This disables the allow all rule for the SSH service.
    $arguments = $esxcli.network.firewall.ruleset.set.CreateArgs()
    $arguments.rulesetid = "sshServer"
    $arguments.allowedall = $false  
    $esxcli.network.firewall.ruleset.set.Invoke($arguments)
    
    #Next add the allowed IPs for the SSH service.
    $arguments = $esxcli.network.firewall.ruleset.allowedip.add.CreateArgs() 
    $arguments.rulesetid = "sshServer"
    $arguments.ipaddress = "Site-specific networks"
    $esxcli.network.firewall.ruleset.allowedip.add.Invoke($arguments)}
  4. VMW-ESXI-00030 Show warnings in the vSphere Client if local or remote shell sessions are activated on the ESXi hosts.
    Get-VMHost | Get-AdvancedSetting -Name UserVars.SuppressShellWarning | Set-AdvancedSetting -Value 0
  5. VMW-ESXI-00034 Set the maximum number of failed login attempts before an account is locked to 3.
    Get-VMHost | Get-AdvancedSetting -Name Security.AccountLockFailures | Set-AdvancedSetting -Value 3
  6. VMW-ESXI-00038 Configure the inactivity timeout to automatically close idle shell sessions to 600 seconds.
    Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellInteractiveTimeOut | Set-AdvancedSetting -Value 600
  7. VMW-ESXI-00043 Activate the Bridge Protocol Data Unit (BPDU) filter.
    Get-VMHost | Get-AdvancedSetting -Name Net.BlockGuestBPDU | Set-AdvancedSetting -Value 1
  8. VMW-ESXI-00109 Configure the password history setting to restrict the reuse of the last five passwords.
    Get-VMHost | Get-AdvancedSetting -Name Security.PasswordHistory | Set-AdvancedSetting -Value 5
  9. VMW-ESXI-00112 Stop the ESXi shell service and set the startup policy.
    Get-VMHost | Get-VMHostService | Where {$_.Label -eq "ESXi Shell"} | Set-VMHostService -Policy Off
    Get-VMHost | Get-VMHostService | Where {$_.Label -eq "ESXi Shell"} | Stop-VMHostService
  10. VMW-ESXI-00114 To eliminate the need to create and maintain multiple local user accounts, join ESXi hosts to an Active Directory (AD) domain.
    Get-VMHost | Get-VMHostAuthentication | Set-VMHostAuthentication -JoinDomain -Domain "domain name" -User "username" -Password "password"
    Note:

    If any local user accounts exist, apart from root and local service accounts, you can delete the local user accounts by going to the ESXi host UI Manage > Security & Users > Users.

  11. VMW-ESXI-00122 Configure the login banner for the DCUI of the ESXi host.
    Get-VMHost | Get-AdvancedSetting -Name Annotations.WelcomeMessage | Set-AdvancedSetting -Value "Site-Specific banner text"
  12. VMW-ESXI-00123 Configure the login banner for the SSH connections.
    Get-VMHost | Get-AdvancedSetting -Name Config.Etc.issue | Set-AdvancedSetting -Value "Site-Specific banner text"
  13. VMW-ESXI-00136 Configure a persistent log location for all locally stored logs.
    Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logDir | Set-AdvancedSetting -Value “New Log Location”
    Note:

    Specify the log location as [datastorename] path_to_file, where the path is relative to the root of the volume, backing the datastore. For example, the path [storage1] /systemlogs maps to the path /vmfs/volumes/storage1/systemlogs.

  14. VMW-ESXI-00137 For a host added to Active Directory, use an Active Directory group instead of the default ESX Admins group for the esxAdminsGroup property on the ESXi hosts.
    Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup | Set-AdvancedSetting -Value AD_Group
  15. VMW-ESXI-00164 Configure a remote log server for the ESXi hosts.
    Note:

    Use the following format when adding the remote log server. You can enter multiple, comma-separated values.

    udp://<IP/FQDN>:514

    tcp://<IP/FQDN>:514

    ssl://<IP/FQDN>:1514

    Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost | Set-AdvancedSetting -Value "<syslog server hostname>"
  16. VMW-ESXI-01102 Activate bidirectional CHAP authentication for iSCSI traffic.
    Get-VMHost | Get-VMHostHba | Where {$_.Type -eq "iscsi"} | Set-VMHostHba -ChapType Required -ChapName chap_name -ChapPassword password -MutualChapEnabled $true -MutualChapName mutual_chap_name -MutualChapPassword mutual_password
  17. VMW-ESXI-01121 Activate strict x509 verification for SSL syslog endpoints.
    $esxiHosts = Get-VMHost
    foreach($esxiHost in $esxiHosts){
    $esxcli = Get-EsxCli -v2 -VMHost $esxiHost.Name
    $arguments = $esxcli.system.syslog.config.set.CreateArgs()
    $arguments.x509strict = $true
    $esxcli.system.syslog.config.set.Invoke($arguments)
    $esxcli.system.syslog.reload.Invoke()
    }
  18. VMW-ESXI-01122 Activate volatile key destruction on the host.
    Get-VMHost | Get-AdvancedSetting -Name Mem.MemEagerZero | Set-AdvancedSetting -Value "1"
  19. VMW-ESXI-01123 Configure the host with an appropriate maximum password age.
    Get-VMHost | Get-AdvancedSetting -Name Security.PasswordMaxDays | Set-AdvancedSetting -Value "90"
  20. VMW-ESXI-01124 Enable TPM-based configuration encryption.
    • Ensure the TPM 2.0 chip is enabled in the BIOS and the ESX UI does not show any errors.

    • Configuration encryption uses the physical TPM at install or upgrade time. If the TPM is added or enabled later, you must reconfigure the ESXi host to use the newly available TPM. After you enable TPM configuration encryption is enabled, you cannot disable it.

    $esxiHosts = Get-VMHost
    foreach($esxiHost in $esxiHosts){
    $esxcli = Get-EsxCli -v2 -VMHost $esxiHost.Name
    $arguments = $esxcli.system.settings.encryption.set.CreateArgs()
    $arguments.mode="TPM"
    $esxcli.system.settings.encryption.set.Invoke($arguments)
    }

    You must evacuate the host and gracefully reboot for changes to take effect.

  21. VMW-ESXI-01125 The ESXi host must implement Secure Boot enforcement.
    $esxiHosts = Get-VMHost
    foreach($esxiHost in $esxiHosts){
    $esxcli = Get-EsxCli -v2 -VMHost $esxiHost.Name
    $arguments = $esxcli.system.settings.encryption.set.CreateArgs()
    $arguments.requiresecureboot =$true
    $esxcli.system.settings.encryption.set.Invoke($arguments)
    }
  22. VMW-ESXI-01126 Configure the startup policy for the CIM service on the host to "off".
    Get-VMHost | Get-VMHostService | Where {$_.Label -eq "CIM Server"} | Set-VMHostService -Policy Off
  23. VMW-ESXI-01128 Deactivate the startup policy for the SNMP service on the host.
    Get-VMHost | Get-VMHostService | Where {$_.Label -eq "SNMP Server"} | Set-VMHostService -Policy Off