VMware

Three Simple Things to Make VMware ESXi More Secure

Learn how to enhance the security of VMware ESXi with simple PowerCLI scripts and keep your environment and virtual machines protected.
Brandon LeeMarch 18, 2024Last Updated: March 18, 2024
4 minutes read
Vmware three tips
Vmware three tips

If you are like me in production and home lab environments, I am always looking for low-hanging fruit to make things better, faster, more efficient, and more secure. There are three things that you can do in VMware ESXi to make your environment more secure. Let’s dive into what those are and how you can easily implement these using a PowerCLI script run from a scheduled task or even a CI/CD pipeline.

Table of contents

1. Keep VMware tools updated

Keeping VMware tools updated is extremely important from the standpoint of keeping the environment secure and your guest virtual machines performing as expected. VMware Tools is the special package you install in your guest operating system to allow ESXi to interact with the guest OS’es easily and effectively. It provides special functionality and allows for the extraction of information from the guest OS and presentation to ESXi or vCenter Server.

Vmware tools upgrade available
Vmware tools upgrade available

Backup solutions can also use the special hooks with VMware tools for backups. Automation solutions can use VMware tools for automation as well. With PowerCLI, we can easily run a script to iterate through VMs and update VMware tools.

# Upgrade VMware Tools on all VMs
Get-VM -location "Your VM folder" | Where-Object { $_.ExtensionData.Guest.ToolsVersionStatus -eq 'guestToolsNeedUpgrade' -and $_.PowerState -eq "PoweredOn" } | ForEach-Object {
    Update-Tools -VM $_ -NoReboot
}

You can use the -location directive to point at a specific folder in inventory, or you can take this out to target everything. As you can see with the Update-Tools directive, you can pass in the -NoReboot parameter to keep it from rebooting the VM.

2. Set NTP servers and time configuration for VMware ESXi hosts

The next setting is NTP configuration for your VMware ESXi servers. Why is time configuration important for security? The following are just a few examples of why NTP configuration is important:

Ntp time configuration
Ntp time configuration
  • Logs – Having accurate time is important since it will allow logs to be written with accurate timestamps to correlate events in the right way and sequence
  • Authentication – Many authentication protocols rely on accurate time, including Kerberos. Large skews in time can cause authentication failures and might be exploited by an attacker to take advantage of the time skew and extend malicious authentication tokens.
  • Certificate validity – SSL/TLS certificates will have issues if accurate time settings are not applied correctly. I have seen instances where due to large time skew, ESXi hosts can’t be added to vCenter Server or other issues related to the time, causing SSL certs to be invalid, incorrect, or broken.

Let’s see how you can configure NTP on all VMware ESXi hosts in inventory using PowerCLI:

# Configure NTP settings and ensure the NTP service is started and set to start with the host
Get-VMHost | ForEach-Object {
    Add-VMHostNtpServer -VMHost $_ -NtpServer "us.pool.ntp.org" -Confirm:$false
    Get-VMHostService -VMHost $_ | Where-Object {$_.key -eq "ntpd"} | Set-VMHostService -Policy "on" -Confirm:$false
    Get-VMHostService -VMHost $_ | Where-Object {$_.key -eq "ntpd"} | Start-VMHostService -Confirm:$false
}

3. Disable SSH

How many environments have you see with dozens of ESXi servers with SSH enabled? Scary right? SSH is fine to enable temporarily if you need it for a specific reason or for troubleshooting. However, do not leave SSH enabled on production ESXi hosts.

One of the problems I see with SSH enabled on ESXi servers is the intention is always to disable it, but this can be forgotten and usually is, especially if there are many hosts in the environment.

It is great to have some type of remediation process or task that automatically looks at your hosts and stops the SSH service if it is started.

Ssh service enabled in vmware esxi
Ssh service enabled in vmware esxi

With PowerCLI, you can do this with the following script:

# Disable SSH service on all ESXi hosts
Get-VMHost | ForEach-Object {
    Get-VMHostService -VMHost $_ | Where-Object {$_.key -eq "TSM-SSH"} | Set-VMHostService -Policy "off" -Confirm:$false
    Get-VMHostService -VMHost $_ | Where-Object {$_.key -eq "TSM-SSH"} | Stop-VMHostService -Confirm:$false
}

Putting the scripts together

You can easily put the parts of the script all together and have them run in a single script as a task or CI/CD pipeline.

In the top of the script below, I am setting variables in the script that are getting pulled from the Gitlab variables in the CI/CD pipeline variables configuration.

$vsphereuser = $env:VSPHEREUSER
$vspherepassword = $env:VSPHEREPASSWORD
$vcenterserver = $env:VCENTERSERVER

##Setting CEIP options
Set-PowerCliConfiguration -InvalidCertificateAction Ignore -ParticipateInCeip $false -Confirm:$false

##Connect to vCenter
connect-viserver $vcenterserver -user $vsphereuser -password $vspherepassword

# Upgrade VMware Tools on all VMs
Get-VM -location "Blog Testing" | Where-Object { $_.ExtensionData.Guest.ToolsVersionStatus -eq 'guestToolsNeedUpgrade' -and $_.PowerState -eq "PoweredOn" } | ForEach-Object {
    Update-Tools -VM $_ -NoReboot
}

# Configure NTP settings and ensure the NTP service is started and set to start with the host
Get-VMHost | ForEach-Object {
    Add-VMHostNtpServer -VMHost $_ -NtpServer "us.pool.ntp.org" -Confirm:$false
    Get-VMHostService -VMHost $_ | Where-Object {$_.key -eq "ntpd"} | Set-VMHostService -Policy "on" -Confirm:$false
    Get-VMHostService -VMHost $_ | Where-Object {$_.key -eq "ntpd"} | Start-VMHostService -Confirm:$false
}

# Disable SSH service on all ESXi hosts
Get-VMHost | ForEach-Object {
    Get-VMHostService -VMHost $_ | Where-Object {$_.key -eq "TSM-SSH"} | Set-VMHostService -Policy "off" -Confirm:$false
    Get-VMHostService -VMHost $_ | Where-Object {$_.key -eq "TSM-SSH"} | Stop-VMHostService -Confirm:$false
}

# Disconnect from vCenter
Disconnect-VIServer -Server $vcenterserver -Confirm:$false

Are these the only things to worry about or possibly remediate? No, but these are easy things you can do to keep your environment configured with best practices and make sure that VMware tools are updated, NTP configured, and SSH is stopped.

Brandon LeeMarch 18, 2024Last Updated: March 18, 2024
4 minutes read

Subscribe to VirtualizationHowto via Email ๐Ÿ””

Enter your email address to subscribe to this blog and receive notifications of new posts by email.



Photo of Brandon Lee

Brandon Lee

Brandon Lee is the Senior Writer, Engineer and owner at Virtualizationhowto.com, and a 7-time VMware vExpert, with over two decades of experience in Information Technology. Having worked for numerous Fortune 500 companies as well as in various industries, He has extensive experience in various IT segments and is a strong advocate for open source technologies. Brandon holds many industry certifications, loves the outdoors and spending time with family. Also, he goes through the effort of testing and troubleshooting issues, so you don't have to.

Related Articles

vmupload01

Four ways to upload files to VMware vSphere datastore

March 20, 2017
w16pv01

Windows Server 2016 Install VMware Paravirtual SCSI controller

January 25, 2017
Manually-Patch-VMware-vCenter-Server-VCSA-with-ISO

Manually Patch VMware vCenter Server VCSA with ISO

July 9, 2019
esxi65lun02

VMware ESXi 6.5 Can’t Add Existing iSCSI LUN

December 14, 2016

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

© Copyright 2024, All Rights Reserved  | VirtualizationHowto.com