ESXi

 View Only
  • 1.  Set advanced setting as default for new VMs?

    Posted Feb 03, 2023 10:49 PM

    We are going through and attempting to harden our environment as much as possible. As a result, we are wanting to enable many advanced settings that are best practice weather it's more secure or just not necessary for vSphere environments (isolation.tools.paste.disable, isolation.bios.bbs.disable, isolation.tools.unity.disable, etc).

    Is there a way to set it so any new VMs are set to automatically have these advanced settings set the way we want? Or do we just need to have a script perform the set for the VM as they are created?

    I've looked around and found plenty of scripts to set the advanced settings across the environment (Get-VM | New-AdvancedSetting...), but any new VMs still need to have the settings applied after being built.



  • 2.  RE: Set advanced setting as default for new VMs?
    Best Answer

    Broadcom Employee
    Posted Feb 03, 2023 11:09 PM

    VM Templates is ideally how you'd maintain the set of configurations to ensure they're deployed consistently, this does require process change to ensure your organization is following IT guidelines for workload deployment ... tools like Aria Automation can help further to provide governance in case users are allowed to use vCenter Server directly or provision through API

    You could also look at Event Driven approach, where you trigger off of a VM creation/clone (which would catch both UI/API scenarios) and automatically harden based on a specific set of configurations. Alan Renouf and I demonstrated this almost a decade ago https://blogs.vmware.com/vsphere/2012/07/automatically-securing-virtual-machines-using-a-vcenter-alarm.html and today, you can leverage modern solution like the VMware Event Broker Appliance (VEBA) https://vmweventbroker.io/ to easily subscribe to these events (rather than an Alarm) and then run any code you wish including PowerCLI

    If process and automation can not be put in place (outside of manual intervention), a last resort which I don't typically recommend as it can easily be forgotten about and applies globally across ALL VMs on an ESXi host is to set the desired settings on ESXi host under /etc/vmware/config which would apply those settings to all VMs. This isn't ideal for several reasons but the biggest one is the inflexibility as this applies to all VMs running on a given ESXi host and I would use this type of configuration sparingly as you can easily forget that these settings are applied as you don't see it from VM view, its only enforced by ESXi which makes it difficult to audit as you'll typically go to VM to check for these settings but they're applied indirectly through this method

     



  • 3.  RE: Set advanced setting as default for new VMs?

    Posted Feb 04, 2023 05:09 AM

    , isn't it already easier for new virtual machines to benefit from Skyline recommendations ? They are based on VMware’s ever-growing library of knowledge that include Knowledge Base articles, Best Practices and Security/Hardening Guidance. Reflecting the sweet spot of achievements during a decade, the health diagnostic finding platform empowers support engineers to cope with this multi-year wave of onboardings and IT security.

     



  • 4.  RE: Set advanced setting as default for new VMs?

    Broadcom Employee
    Posted Feb 04, 2023 02:16 PM

    This does not actually help with what is being asked



  • 5.  RE: Set advanced setting as default for new VMs?

    Posted Feb 04, 2023 02:45 PM

    Of course, Set advanced setting as default for new VMs can be a technical goal only.
    It was yet another perspective on we are wanting to enable many advanced settings that are best practice weather it's more secure or just not necessary for vSphere environments. Fighting against skills shortage, skyline is a good jumpstart, facing all the paperwork https://core.vmware.com/security-configuration-guide , kb57122 ++ .