Post date: Mar 30, 2015 2:29:57 PM
When working with DoD STIGs the following can be run to set the Stig for all VMs in a Datacenter. There are STIGs than cannot be set without a restart of a VM such as the removal of FloppyDrives. Those reboot required STIGs are not covered in this script. Updated for latest STIG release.
#####################################################################
# Set-VMstig.ps1
#
# This will configure VM properties per ESXi5 VM STIG - 7DEC2015
#
# This does not include required device removal or requirements for environments with vShield and/or VMsafe in production.This script also assumes VM log file rotation is not degrading system performance and the VM requires logging to be enabled for troubleshooting.
#
# USE EXAMPLE:
# .\Set-VMstig.ps1 NameOfVM
# .\Set-VMstig.ps1 *
#
# Removing the Parameter and the $VMname will result in the configuration of all VMs in the connected vCenter.
#
# NOTE: This Stig Should be applied to all Templates this will require you to convert existing Templates to a VM then apply the STIG. Applying the STIG after a VM is created from a Template is not sufficient to comply with the STIG.
#
# v1.2 JAN 2014
# Author: Kris
#####################################################################
param(
[parameter(Mandatory = $true)]
[string[]]$VMname
)
$VMs = Get-VM $VMname
$spec = New-Object VMware.Vim.VirtualMachineConfigSpec
$spec.tools = New-Object VMware.Vim.ToolsConfigInfo
#ESXi5-VM-000002 - ESXi5-201
$extra1 = New-Object VMware.Vim.OptionValue
$extra1.Key = "isolation.tools.autoInstall.disable"
$extra1.Value = "true"
$spec.ExtraConfig += $extra1
#ESXi5-VM-000003 - ESXi5-202
$extra2 = New-Object VMware.Vim.OptionValue
$extra2.Key = "isolation.tools.copy.disable"
$extra2.Value = "true"
$spec.ExtraConfig += $extra2
#ESXi5-VM-000004 - ESXi5-203
$extra3 = New-Object VMware.Vim.OptionValue
$extra3.Key = "isolation.tools.dnd.disable"
$extra3.Value = "true"
$spec.ExtraConfig += $extra3
#ESXi5-VM-000005 - ESXi5-204
$extra4 = New-Object VMware.Vim.OptionValue
$extra4.Key = "isolation.tools.setGUIOptions.enable"
$extra4.Value = "false"
$spec.ExtraConfig += $extra4
#ESXi5-VM-000006 - ESXi5-205
$extra5 = New-Object VMware.Vim.OptionValue
$extra5.Key = "isolation.tools.paste.disable"
$extra5.Value = "true"
$spec.ExtraConfig += $extra5
#ESXi5-VM-000007 - ESXi5-206
$extra6 = New-Object VMware.Vim.OptionValue
$extra6.Key = "isolation.tools.diskShrink.disable"
$extra6.Value = "true"
$spec.ExtraConfig += $extra6
#ESXi5-VM-000008 - ESXi5-207
$extra7 = New-Object VMware.Vim.OptionValue
$extra7.Key = "isolation.tools.diskWiper.disable"
$extra7.Value = "true"
$spec.ExtraConfig += $extra7
#ESXi5-VM-000009 - ESXi5-208
$extra8 = New-Object VMware.Vim.OptionValue
$extra8.Key = "isolation.tools.hgfsServerSet.disable"
$extra8.Value = "true"
$spec.ExtraConfig += $extra8
#ESXi5-VM-000011 - ESXi5-210
$extra10 = New-Object VMware.Vim.OptionValue
$extra10.Key = "vmci0.unrestricted"
$extra10.Value = "false"
$spec.ExtraConfig += $extra10
#ESXi5-VM-000013 - ESXi5-212
$extra12 = New-Object VMware.Vim.OptionValue
$extra12.Key = "isolation.monitor.control.disable"
$extra12.Value = "true"
$spec.ExtraConfig += $extra12
#ESXi5-VM-000014 - ESXi5-213
$extra13 = New-Object VMware.Vim.OptionValue
$extra13.Key = "isolation.tools.ghi.autologon.disable"
$extra13.Value = "true"
$spec.ExtraConfig += $extra13
#ESXi5-VM-000015 - ESXi5-214
$extra14 = New-Object VMware.Vim.OptionValue
$extra14.Key = "isolation.bios.bbs.disable"
$extra14.Value = "true"
$spec.ExtraConfig += $extra14
#ESXi5-VM-000016 - ESXi5-215
$extra15 = New-Object VMware.Vim.OptionValue
$extra15.Key = "isolation.tools.getCreds.disable"
$extra15.Value = "true"
$spec.ExtraConfig += $extra15
#ESXi5-VM-000017 - ESXi5-216
$extra16 = New-Object VMware.Vim.OptionValue
$extra16.Key = "isolation.tools.ghi.launchmenu.change"
$extra16.Value = "true"
$spec.ExtraConfig += $extra16
#ESXi5-VM-000018 - ESXi5-217
$extra17 = New-Object VMware.Vim.OptionValue
$extra17.Key = "isolation.tools.memSchedFakeSampleStats.disable"
$extra17.Value = "true"
$spec.ExtraConfig += $extra17
#ESXi5-VM-000019 - ESXi5-218
$extra18 = New-Object VMware.Vim.OptionValue
$extra18.Key = "isolation.tools.ghi.protocolhandler.info.disable"
$extra18.Value = "true"
$spec.ExtraConfig += $extra18
#ESXi5-VM-000020 - ESXi5-219
$extra19 = New-Object VMware.Vim.OptionValue
$extra19.Key = "isolation.ghi.host.shellAction.disable"
$extra19.Value = "true"
$spec.ExtraConfig += $extra19
#ESXi5-VM-000021 - ESXi5-220
$extra20 = New-Object VMware.Vim.OptionValue
$extra20.Key = "isolation.tools.dispTopoRequest.disable"
$extra20.Value = "true"
$spec.ExtraConfig += $extra20
#ESXi5-VM-000022 - ESXi5-221
$extra21 = New-Object VMware.Vim.OptionValue
$extra21.Key = "isolation.tools.trashFolderState.disable"
$extra21.Value = "true"
$spec.ExtraConfig += $extra21
#ESXi5-VM-000023 - ESXi5-222
$extra22 = New-Object VMware.Vim.OptionValue
$extra22.Key = "isolation.tools.ghi.trayicon.disable"
$extra22.Value = "true"
$spec.ExtraConfig += $extra22
#ESXi5-VM-000024 - ESXi5-223
$extra23 = New-Object VMware.Vim.OptionValue
$extra23.Key = "isolation.tools.unity.disable"
$extra23.Value = "true"
$spec.ExtraConfig += $extra23
#ESXi5-VM-000025 - ESXi5-224
$extra24 = New-Object VMware.Vim.OptionValue
$extra24.Key = "isolation.tools.unityInterlockOperation.disable"
$extra24.Value = "true"
$spec.ExtraConfig += $extra24
#ESXi5-VM-000026 - ESXi5-225
$extra25 = New-Object VMware.Vim.OptionValue
$extra25.Key = "isolation.tools.unity.push.update.disable"
$extra25.Value = "true"
$spec.ExtraConfig += $extra25
#ESXi5-VM-000027 - ESXi5-226
$extra26 = New-Object VMware.Vim.OptionValue
$extra26.Key = "isolation.tools.unity.taskbar.disable"
$extra26.Value = "true"
$spec.ExtraConfig += $extra26
#ESXi5-VM-000028 - ESXi5-227
$extra27 = New-Object VMware.Vim.OptionValue
$extra27.Key = "isolation.tools.unityActive.disable"
$extra27.Value = "true"
$spec.ExtraConfig += $extra27
#ESXi5-VM-000029 - ESXi5-228
$extra28 = New-Object VMware.Vim.OptionValue
$extra28.Key = "isolation.tools.unity.windowContents.disable"
$extra28.Value = "true"
$spec.ExtraConfig += $extra28
#ESXi5-VM-000030 - ESXi5-229
$extra29 = New-Object VMware.Vim.OptionValue
$extra29.Key = "isolation.tools.vmxDnDVersionGet.disable"
$extra29.Value = "true"
$spec.ExtraConfig += $extra29
#ESXi5-VM-000031 - ESXi5-230
$extra30 = New-Object VMware.Vim.OptionValue
$extra30.Key = "isolation.tools.guestDnDVersionSet.disable"
$extra30.Value = "true"
$spec.ExtraConfig += $extra30
#ESXi5-VM-000033 - ESXi5-232
$extra32 = New-Object VMware.Vim.OptionValue
$extra32.Key = "isolation.tools.vixMessage.disable"
$extra32.Value = "true"
$spec.ExtraConfig += $extra32
#ESXi5-VM-000039 - ESXi5-238
$extra38 = New-Object VMware.Vim.OptionValue
$extra38.Key = "RemoteDisplay.maxConnections"
$extra38.Value = "1"
$spec.ExtraConfig += $extra38
#ESXi5-VM-000041 - ESXi5-240
$extra40 = New-Object VMware.Vim.OptionValue
$extra40.Key = "log.keepOld"
$extra40.Value = "10"
$spec.ExtraConfig += $extra40
#ESXi5-VM-000042 - ESXi5-241
$extra41 = New-Object VMware.Vim.OptionValue
$extra41.Key = "log.rotateSize"
$extra41.Value = "100000"
$spec.ExtraConfig += $extra41
#ESXi5-VM-000043 - ESXi5-242
$extra42 = New-Object VMware.Vim.OptionValue
$extra42.Key = "tools.setinfo.sizeLimit"
$extra42.Value = "1048576"
$spec.ExtraConfig += $extra42
#ESXi5-VM-000045 - ESXi5-244
$extra44 = New-Object VMware.Vim.OptionValue
$extra44.Key = "isolation.device.connectable.disable"
$extra44.Value = "true"
$spec.ExtraConfig += $extra44
#ESXi5-VM-000046 - ESXi5-245
$extra45 = New-Object VMware.Vim.OptionValue
$extra45.Key = "isolation.device.edit.disable"
$extra45.Value = "true"
$spec.ExtraConfig += $extra45
#ESXi5-VM-000047 - ESXi5-246
$extra46 = New-Object VMware.Vim.OptionValue
$extra46.Key = "tools.guestlib.enableHostInfo"
$extra46.Value = "false"
$spec.ExtraConfig += $extra46
ForEach($VM in $VMs){
$vm.ExtensionData.ReconfigVM($spec)
}