Disable unexposed features, drag and drop operations, copy and paste operations, shared salt values, console access, unused display features, sending host information to virtual machines, limit sharing of console connections, limit the VMX configuration file size, and audit all uses of PCI or PCIe passthrough functionalities by using PowerCLI commands.

You perform the procedure on all management virtual machines in Region B to comply with multiple configurations. You must also perform the procedure for management virtual machines that you add to the SDDC in the future.

Table 1. Configurations to Perform

Configuration ID	Description
NIST80053-VI-VC-CFG-00070	Disable copy operations.
NIST80053-VI-VC-CFG-00071	Disable drag and drop operations.
NIST80053-VI-VC-CFG-00072	Disable all GUI functionalies for copy and paste operations.
NIST80053-VI-VC-CFG-00073	Disable paste operations.
NIST80053-VI-VC-CFG-00074	Disable virtual disk shrinking.
NIST80053-VI-VC-CFG-00075	Disable virtual disk erasure.
NIST80053-VI-VC-CFG-00076	Disable Host Guest File System (HGFS) file transfers.
NIST80053-VI-VC-CFG-00077	Disable the isolation.tools.ghi.autologon.disable feature.
NIST80053-VI-VC-CFG-00078	Disable the isolation.bios.bbs.disable feature.
NIST80053-VI-VC-CFG-00079	Disable the isolation.tools.getCreds.disable feature.
NIST80053-VI-VC-CFG-00080	Disable theisolation.tools.ghi.launchmenu.change feature.
NIST80053-VI-VC-CFG-00081	Disable theisolation.tools.memSchedFakeSampleStats.disable feature.
NIST80053-VI-VC-CFG-00082	Disable the isolation.tools.ghi.protocolhandler.info.disable feature.
NIST80053-VI-VC-CFG-00083	Disable the isolation.ghi.host.shellAction.disable feature.
NIST80053-VI-VC-CFG-00084	Disable theisolation.tools.dispTopoRequest.disable feature.
NIST80053 -VI-VC-CFG-00085	Disable theisolation.tools.trashFolderState.disable feature.
NIST80053-VI-VC-CFG-00086	Disable the isolation.tools.ghi.trayicon.disable feature.
NIST80053-VI-VC-CFG-00087	Disable theisolation.tools.unity.disable feature.
NIST80053-VI-VC-CFG-00088	Configure unexposed feature keyword isolation.tools.unityInterlockOperation.disable feature.
NIST80053-VI-VC-CFG-00089	Disable the isolation.tools.unity.push.update.disable feature.
NIST80053-VI-VC-CFG-00090	Disable the isolation.tools.unity.taskbar.disable feature.
NIST80053-VI-VC-CFG-00091	Disable the isolation.tools.unityActive.disable feature.
NIST80053-VI-VC-CFG-00092	Disable the isolation.tools.unity.windowContents.disable feature.
NIST80053-VI-VC-CFG-00093	Disable the isolation.tools.vmxDnDVersionGet.disable feature.
NIST80053-VI-VC-CFG-00094	Disable the isolation.tools.guestDnDVersionSet.disable feature.
NIST80053-VI-VC-CFG-00095	Disable VIX messages from the VM.
NIST80053-VI-VC-CFG-00096	Limit the sharing of console connections.
NIST80053-VI-VC-CFG-00097	Disable console access through the Virtual Network Computing protocol.
NIST80053-VI-VC-CFG-00098	Disable tools auto install.
NIST80053-VI-VC-CFG-00099	Limit informational messages from the VM to the VMX file.
NIST80053-VI-VC-CFG-00101	Prevent unauthorized removal, connection and modification through the isolation.device.connectable.disable parameter.
NIST80053-VI-VC-CFG-00100	Prevent unauthorized removal, connection and modification of devices through the isolation.device.edit.disable parameter.
NIST80053-VI-VC-CFG-00102	Restrict sending host information to guests.
NIST80053-VI-VC-CFG-00555	Disable unused display features.
NIST80053-VI-VC-CFG-00561	Audit all uses of PCI or PCIe passthrough functionalities.

1. Log in to the Management vCenter Server by using a PowerCLI console.

   Setting	Value
   Command	Connect-VIServer -Server lax01m01vc01.lax01.rainpole.local -Protocol https
   User name	administrator@vsphere.local
   Password	vsphere_admin_password

2. Run the script to configure advanced settings on all management virtual machines.

   $AdvancedSettingsTrue =("svga.vgaonly","isolation.bios.bbs.disable","isolation.device.connectable.disable","isolation.device.edit.disable","isolation.ghi.host.shellAction.disable","isolation.tools.autoInstall.disable","isolation.tools.diskShrink.disable","isolation.tools.diskWiper.disable","isolation.tools.dispTopoRequest.disable","isolation.tools.dnd.disable","isolation.tools.getCreds.disable","isolation.tools.ghi.autologon.disable","isolation.tools.ghi.launchmenu.change","isolation.tools.ghi.protocolhandler.info.disable","isolation.tools.ghi.trayicon.disable","isolation.tools.guestDnDVersionSet.disable","isolation.tools.hgfsServerSet.disable","isolation.tools.memSchedFakeSampleStats.disable","isolation.tools.paste.disable","isolation.tools.copy.disable","isolation.tools.trashFolderState.disable","isolation.tools.unity.disable","isolation.tools.unity.push.update.disable","isolation.tools.unity.taskbar.disable","isolation.tools.unity.windowContents.disable","isolation.tools.unityActive.disable","isolation.tools.unityInterlockOperation.disable","isolation.tools.vixMessage.disable","isolation.tools.vmxDnDVersionGet.disable")
   $AdvancedSettingsFalse = ("isolation.tools.setGUIOptions.enable","RemoteDisplay.vnc.enabled","tools.guestlib.enableHostInfo","pciPassthru*.present")
   $VMs =("lax01m01vc01","lax01m01psc01","lax01w01vc01","lax01w01psc01","vrslcm01svr01a","vrops01svr01a","vrops01svr01b","vrops01svr01c","lax01vropsc01a","lax01vropsc01b","lax01vrli01a","lax01vrli01b","lax01vrli01c","lax01umds01","vra01svr01a","vra01svr01b","vra01svr01c","vra01iws01a","vra01iws01b","vra01ims01a","vra01ims01b","vra01dem01a","vra01dem01b","lax01ias01b","lax01ias01a","vrb01svr01","lax01vrbc01","lax01m01srm01","lax01m01vrms01")
   Foreach ($vm in $VMs){
   	Foreach ($advancedSetting in $AdvancedSettingsTrue) {
   		$setting = Get-VM $vm | Get-AdvancedSetting -Name $advancedSetting | Select-Object -Property Name, Value
   		if(!$setting.Name){
   			Get-VM $vm | New-AdvancedSetting -Name $advancedSetting -Value true -Confirm:$false
   		}
   		else{
   			Get-VM $vm | Get-AdvancedSetting -Name $advancedSetting | Set-AdvancedSetting -Value true -Confirm:$false
   		}	
   	}
   	Foreach ($advancedSetting in $AdvancedSettingsFalse) {
   		$setting = Get-VM $vm | Get-AdvancedSetting -Name $advancedSetting | Select-Object -Property Name, Value
   		if(!$setting.Name){
   			Get-VM $vm | New-AdvancedSetting -Name $advancedSetting -Value false -Confirm:$false
   		}
   		else{
   			Get-VM $vm | Get-AdvancedSetting -Name $advancedSetting | Set-AdvancedSetting -Value false -Confirm:$false
   		}
   	}
   	$advancedSetting = "RemoteDisplay.maxConnections"
   	$setting = Get-VM $vm | Get-AdvancedSetting -Name $advancedSetting | Select-Object -Property Name, Value
   	if(!$setting.Name){
   		Get-VM $vm | New-AdvancedSetting -Name $advancedSetting -Value 1 -Confirm:$false
   	}
   	else{
   		Get-VM $vm | Get-AdvancedSetting -Name $advancedSetting | Set-AdvancedSetting -Value 1 -Confirm:$false
   	}
   	$advancedSetting = "tools.setinfo.sizeLimit"
   	$setting = Get-VM $vm | Get-AdvancedSetting -Name $advancedSetting | Select-Object -Property Name
   	if(!$setting.Name){
   		Get-VM $vm | New-AdvancedSetting -Name $advancedSetting -Value 1048576 -Confirm:$false
   	}
   	else{
   		Get-VM $vm | Get-AdvancedSetting -Name $advancedSetting | Set-AdvancedSetting -Value 1048576 -Confirm:$false
   	}
   }