From 2d1feaf7228296f9e43dd16c74e0678d9e75a1a8 Mon Sep 17 00:00:00 2001 From: Zack Meier Date: Tue, 12 May 2026 10:37:31 -0500 Subject: [PATCH] update --- .../VMHost-InitialHostConfiguration.ps1 | 8 +- .../Scripts/VMware-VMHardening-Pub1075.ps1 | 95 +++++++++++++++++++ 2 files changed, 100 insertions(+), 3 deletions(-) create mode 100644 _NDGOV_WindowsTeam/ITD.Infra-VMware.Administration/Scripts/VMware-VMHardening-Pub1075.ps1 diff --git a/_NDGOV_WindowsTeam/ITD.Infra-VMware.Administration/Scripts/VMHost-InitialHostConfiguration.ps1 b/_NDGOV_WindowsTeam/ITD.Infra-VMware.Administration/Scripts/VMHost-InitialHostConfiguration.ps1 index b672b98..83ff050 100644 --- a/_NDGOV_WindowsTeam/ITD.Infra-VMware.Administration/Scripts/VMHost-InitialHostConfiguration.ps1 +++ b/_NDGOV_WindowsTeam/ITD.Infra-VMware.Administration/Scripts/VMHost-InitialHostConfiguration.ps1 @@ -139,8 +139,10 @@ $ParamsToAdd = @{ switch ($VMHostDatacenter.Name) { 'Primary Datacenter' { $ParamsToAdd.gateway = '10.2.170.1' } 'Secondary Datacenter' { $ParamsToAdd.gateway = '10.2.170.1' } - 'DCN Datacenter' { $CoreDumpArgs.serveripv4 = '10.2.118.241' } - 'Grand Forks Vantis' { $CoreDumpArgs.serveripv4 = '' } + 'DCN Datacenter' { $ParamsToAdd.gateway = '10.2.118.241' } + 'Grand Forks Vantis' { $ParamsToAdd.gateway = '' } + 'Test Primary Datacenter' { $ParamsToAdd.gateway = '10.2.168.241'} + 'Test Secondary Datacenter' { $ParamsToAdd.gateway = '10.2.168.241'} } $EsxCli.network.ip.route.ipv4.add.Invoke($ParamsToAdd) @@ -148,7 +150,7 @@ $EsxCli.network.ip.route.ipv4.add.Invoke($ParamsToAdd) network = '10.2.169.0/24' ## check subnet mask, should be /24 after collapsing the Cohesity subnets gateway = '10.2.170.1' ## General 10.2.170.1, VDI 10.2.15.1, TEST 10.2.168.241 # DCN 10.2.118.241 } #> -#$x = $esxcli.network.ip.route.ipv4.list.Invoke() | Where-Object {$_.Interface -eq 'vmk2' -and $_.Network -eq '10.2.169.128'} +#$x = $esxcli.network.ip.route.ipv4.list.Invoke() | Where-Object {$_.Interface -eq 'vmk2' -and $_.Network -eq '10.2.169.0'} #$x | Add-Member -Name "Name" -MemberType NoteProperty -Value $VMHost.Name #$null = $result.Add($x) diff --git a/_NDGOV_WindowsTeam/ITD.Infra-VMware.Administration/Scripts/VMware-VMHardening-Pub1075.ps1 b/_NDGOV_WindowsTeam/ITD.Infra-VMware.Administration/Scripts/VMware-VMHardening-Pub1075.ps1 new file mode 100644 index 0000000..dd46399 --- /dev/null +++ b/_NDGOV_WindowsTeam/ITD.Infra-VMware.Administration/Scripts/VMware-VMHardening-Pub1075.ps1 @@ -0,0 +1,95 @@ +$VMs = Get-VM | Where-Object { $_.ExtensionData.Summary.Config.ManagedBy.Type -ne "placeholderVm" } + +$SettingName = @( + "tools.setInfo.sizeLimit", + "isolation.device.edit.disable", + "isolation.device.connectable.disable", + "isolation.tools.copy.disable", + "isolation.tools.dnd.disable", + "isolation.tools.setGUIOptions.enable", + "RemoteDisplay.vnc.enabled", + "isolation.tools.paste.disable", + "isolation.tools.diskShrink.disable", + "isolation.tools.diskWiper.disable", + "log.keepOld", + "log.rotateSize" +) + +$Result = [System.Collections.ArrayList]@() +ForEach ($VM in $VMs) { + $GetAdvSetting = Get-AdvancedSetting -Entity $VM -Name $SettingName | select Entity, Name, Value + $obj = [PSCustomObject]@{ + 'Entity' = $VM.Name + "tools.setInfo.sizeLimit" = ($GetAdvSetting | Where-Object Name -EQ 'tools.setInfo.sizeLimit').Value + "isolation.device.edit.disable" = ($GetAdvSetting | Where-Object Name -EQ 'isolation.device.edit.disable').Value + "isolation.device.connectable.disable" = ($GetAdvSetting | Where-Object Name -EQ 'isolation.device.connectable.disable').Value + "isolation.tools.copy.disable" = ($GetAdvSetting | Where-Object Name -EQ 'isolation.tools.copy.disable').Value + "isolation.tools.dnd.disable" = ($GetAdvSetting | Where-Object Name -EQ 'isolation.tools.dnd.disable').Value + "isolation.tools.setGUIOptions.enable" = ($GetAdvSetting | Where-Object Name -EQ 'isolation.tools.setGUIOptions.enable').Value + "RemoteDisplay.vnc.enabled" = ($GetAdvSetting | Where-Object Name -EQ 'RemoteDisplay.vnc.enabled').Value + "isolation.tools.paste.disable" = ($GetAdvSetting | Where-Object Name -EQ 'isolation.tools.paste.disable').Value + "isolation.tools.diskShrink.disable" = ($GetAdvSetting | Where-Object Name -EQ 'isolation.tools.diskShrink.disable').Value + "isolation.tools.diskWiper.disable" = ($GetAdvSetting | Where-Object Name -EQ 'isolation.tools.diskWiper.disable').Value + "log.keepOld" = ($GetAdvSetting | Where-Object Name -EQ 'log.keepOld').Value + "log.rotateSize" = ($GetAdvSetting | Where-Object Name -EQ 'log.rotateSize').Value + } + $Result.Add($obj) +} + +$Result + + +<# Blank Loop +ForEach-Object( ($Result | Where-Object { $_.Entity -notlike "vCLS*" -and $_.'' -ne "VALUE" }).Entity ) { + New-AdvancedSetting -Entity $VM -Name '' -Value TRUE -Confirm:$false -Force:$true +} +#> + +# remediate VMs +ForEach ($VM in ($Result | Where-Object { $_.Entity -notlike "vCLS*" -and $_.'tools.setInfo.sizeLimit' -ne 1048576 }).Entity ) { + New-AdvancedSetting -Entity $VM -Name 'tools.setInfo.sizeLimit' -Value '1048576' -Confirm:$false -Force:$true +} + +ForEach ($VM in ($Result | Where-Object { $_.Entity -notlike "vCLS*" -and $_.'isolation.device.edit.disable' -ne "TRUE" }).Entity ) { + New-AdvancedSetting -Entity $VM -Name 'isolation.device.edit.disable' -Value 'TRUE' -Confirm:$false -Force:$true +} + +ForEach ($VM in ($Result | Where-Object { $_.Entity -notlike "vCLS*" -and $_.'isolation.device.connectable.disable' -ne "TRUE" }).Entity ) { + New-AdvancedSetting -Entity $VM -Name 'isolation.device.connectable.disable' -Value TRUE -Confirm:$false -Force:$true +} + +ForEach ($VM in ($Result | Where-Object { $_.Entity -notlike "vCLS*" -and $_.'isolation.tools.copy.disable' -ne "TRUE" }).Entity ) { + New-AdvancedSetting -Entity $VM -Name 'isolation.tools.copy.disable' -Value 'TRUE' -Confirm:$false -Force:$true +} + +ForEach ($VM in ($Result | Where-Object { $_.Entity -notlike "vCLS*" -and $_.'isolation.tools.dnd.disable' -ne "TRUE" }).Entity ) { + New-AdvancedSetting -Entity $VM -Name 'isolation.tools.dnd.disable' -Value 'TRUE' -Confirm:$false -Force:$true +} + +ForEach ($VM in ($Result | Where-Object { $_.Entity -notlike "vCLS*" -and $_.'isolation.tools.setGUIOptions.enable' -ne "FALSE" }).Entity ) { + New-AdvancedSetting -Entity $VM -Name 'isolation.tools.setGUIOptions.enable' -Value 'FALSE' -Confirm:$false -Force:$true +} + +ForEach ($VM in ($Result | Where-Object { $_.Entity -notlike "vCLS*" -and $_.'RemoteDisplay.vnc.enabled' -ne "FALSE" }).Entity ) { + New-AdvancedSetting -Entity $VM -Name 'RemoteDisplay.vnc.enabled' -Value 'FALSE' -Confirm:$false -Force:$true +} + +ForEach ($VM in ($Result | Where-Object { $_.Entity -notlike "vCLS*" -and $_.'isolation.tools.paste.disable' -ne "TRUE" }).Entity ) { + New-AdvancedSetting -Entity $VM -Name 'isolation.tools.paste.disable' -Value 'TRUE' -Confirm:$false -Force:$true +} + +ForEach ($VM in ($Result | Where-Object { $_.Entity -notlike "vCLS*" -and $_.'isolation.tools.diskShrink.disable' -ne "TRUE" }).Entity ) { + New-AdvancedSetting -Entity $VM -Name 'isolation.tools.diskShrink.disable' -Value 'TRUE' -Confirm:$false -Force:$true +} + +ForEach ($VM in ($Result | Where-Object { $_.Entity -notlike "vCLS*" -and $_.'isolation.tools.diskWiper.disable' -ne "TRUE" }).Entity ) { + New-AdvancedSetting -Entity $VM -Name 'isolation.tools.diskWiper.disable' -Value 'TRUE' -Confirm:$false -Force:$true +} + +ForEach ($VM in ($Result | Where-Object { $_.Entity -notlike "vCLS*" -and $_.'log.keepOld' -ne "10" }).Entity ) { + New-AdvancedSetting -Entity $VM -Name 'log.keepOld' -Value '10' -Confirm:$false -Force:$true +} + +ForEach ($VM in ($Result | Where-Object { $_.Entity -notlike "vCLS*" -and $_.'log.rotateSize' -ne "1024000" }).Entity ) { + New-AdvancedSetting -Entity $VM -Name 'log.rotateSize' -Value '1024000' -Confirm:$false -Force:$true +} \ No newline at end of file