You connect to the management domain vCenter Server and use a script to perform multiple configurations on the management virtual machines that belong to the management domain. vSphere Cluster Services (vCLS) nodes are not in scope of this procedure as they are service VMs.

To harden the management VMs, you must power off the VMs one by one and run the script. To harden the vCenter Server VM, follow the instructions below:

  1. Disable the lockdown mode on the ESXi host that hosts vCenter Server VM.
  2. PowerOff the vCenter Server VM.
  3. Run the below script by connecting to ESXi Host using Connect-VIServer -Server <ESXi host FQDN which hosts vCenter Server VM> cmdlet.
  4. Login to ESXi host client that hosts the vCenter Server VM.
  5. Power on the vCenter Server VM.
  6. Enable the lockdown mode on the ESXi host.

If ESXi is version 7.0 U3i or above, you can run the script without powering off the management VMs. You must shut down the guest OS and power on (cold boot) the VMs for the advanced settings to take effect. Do not reboot the VMs. To prevent service interruption, cold boot must be performed one virtual machine at a time. Cold boot of vCenter Server and SDDC Manager requires a maintenance window.

Perform cold boot in the following order:

  1. NSX Edge nodes
  2. NSX Manager nodes
  3. vCenter Server
  4. SDDC Manager

Configuration ID

Description

VMW-VC-00070

Deactivate copy operations.

VMW-VC-00071

Deactivate drag and drop operations.

VMW-VC-00073

Deactivate paste operations.

VMW-VC-00074

Deactivate virtual disk shrinking

VMW-VC-00075

Deactivate virtual disk erasure

VMW-VC-00096

Limit console connection sharing

VMW-VC-00099

Limit informational messages from the VM to the VMX file.

VMW-VC-00101

Prevent unauthorized removal, connection and modification through the isolation.device.connectable.disable parameter.

VMW-VC-00102

Restrict sending host information to guests.

VMW-VC-00561

Audit all uses of PCI or PCIe pass-through functionalities.

VMW-VC-01232

Lock the virtual machine guest operating system when the last console connection is closed.

VMW-VC-01233

Deactivate 3D features on the virtual machine when not required.

VMW-VC-01242

Configure Log size on the virtual machine.

Procedure

  1. Log in to the management domain vCenter Server by using a PowerCLI console.​

    Setting

    Value

    Command

    Connect-VIServer -Server management-domain-vcenter-server-fqdn​​ -Protocol https

    User name​

    [email protected]
  2. Configure advanced settings on all management virtual machines by running the script.

    You must enter the name of the VM that you are reconfiguring in the first line of the script. For example, $VMs = ("sddc-manager"). If ESXi is version 7.0 U3i, you can enter a comma separated list of VMs.

    $VMs = (management-domain-VM-name)
$AdvancedSettingsTrue = ("isolation.tools.copy.disable","isolation.tools.dnd.disable","isolation.tools.paste.disable","isolation.device.connectable.disable","tools.guest.desktop.autolock","isolation.tools.diskShrink.disable")
$AdvancedSettingsFalse = ("tools.guestlib.enableHostInfo","mks.enable3d")
Foreach ($vm in $VMs){
	Foreach ($advancedSetting in $AdvancedSettingsTrue) { 		
		$setting = Get-VM $vm | Get-AdvancedSetting -Name $advancedSetting | Select-Object -Property Name, Value
 		if(!$setting.Name){
			Get-VM $vm | New-AdvancedSetting -Name $advancedSetting -Value true -Confirm:$false
		} 		
		elseif($setting.Value -ne $true){ 			
			Get-VM $vm | Get-AdvancedSetting -Name $advancedSetting | Set-AdvancedSetting -Value true -Confirm:$false 		
		}	 	
	} 	
	Foreach ($advancedSetting in $AdvancedSettingsFalse) { 		
		$setting = Get-VM $vm | Get-AdvancedSetting -Name $advancedSetting | Select-Object -Property Name, Value
 		if(!$setting.Name){
			Get-VM $vm | New-AdvancedSetting -Name $advancedSetting -Value false -Confirm:$false
		} 		
		elseif($setting.Value -ne $false){ 			
			Get-VM $vm | Get-AdvancedSetting -Name $advancedSetting | Set-AdvancedSetting -Value false -Confirm:$false 		
		} 	
	} 	 	
	$advancedSetting = "tools.setinfo.sizeLimit" 	
	$setting = Get-VM $vm | Get-AdvancedSetting -Name $advancedSetting | Select-Object -Property Name, Value 	
	if(!$setting.Name){ 		
		Get-VM $vm | New-AdvancedSetting -Name $advancedSetting -Value 1048576 -Confirm:$false 	
	} 	
	elseif($setting.Value -ne 1048576){ 		
		Get-VM $vm | Get-AdvancedSetting -Name $advancedSetting | Set-AdvancedSetting -Value 1048576 -Confirm:$false 	
	}
        $advancedSetting = "log.rotateSize" 	
	$setting = Get-VM $vm | Get-AdvancedSetting -Name $advancedSetting | Select-Object -Property Name, Value 	
	if(!$setting.Name){ 		
		Get-VM $vm | New-AdvancedSetting -Name $advancedSetting -Value 2048000 -Confirm:$false 	
	} 	
	elseif($setting.Value -ne 2048000){ 		
		Get-VM $vm | Get-AdvancedSetting -Name $advancedSetting | Set-AdvancedSetting -Value 2048000 -Confirm:$false 	
	}
        $advancedSetting = "RemoteDisplay.maxConnections" 	
	$setting = Get-VM $vm | Get-AdvancedSetting -Name $advancedSetting | Select-Object -Property Name, Value 	
	if(!$setting.Name){ 		
		Get-VM $vm | New-AdvancedSetting -Name $advancedSetting -Value 1 -Confirm:$false 	
	} 	
	elseif($setting.Value -ne 1){ 		
		Get-VM $vm | Get-AdvancedSetting -Name $advancedSetting | Set-AdvancedSetting -Value 1 -Confirm:$false
        }
	$advancedSetting = "pciPassthru*.present" 	
	$setting = Get-VM $vm | Get-AdvancedSetting -Name $advancedSetting | Select-Object -Property Name, Value 		
	if($setting.Name -and $setting.Value -ne $false){ 		
		Get-VM $vm | Get-AdvancedSetting -Name $advancedSetting | Set-AdvancedSetting -Value false -Confirm:$false
        }
}