Most organizations have security compliance requirements for their servers. My past organization was no different. We had to meet Security Technical Implementation Guide (STIG) standards published by the Defense Information Systems Agency (DISA). They have hundreds of configuration guides for various Operating Systems and Applications. These guides are a great starting point if you are new to the security compliance side of IT operations. DISA provides a Java-based tool to easily read and “Check Off” security requirements. Updates to the STIGs are published usually on a quarterly basis.
Important Note: You do have to take care when using these guides. I have seen and experienced “blind acceptance” of their configuration guides brick a system. Read through the security standards and their recommended settings and then implement according to your organization’s security and compliance policy.
Since my HomeLab is principally a VMware environment, I figured I would share a PowerShell script I put together that applies the current DISA STIG configuration settings for a VMware Virtual Machine. As of today, the current STIG is Version 2, Release 1, published 22 Jan 2021. This script utilizes the VMware PowerCLI set of PowerShell commands. Your feedback is welcome and encouraged.
<#
# VMware VM STIG Lockdown Script
#
# Applies the DISA STIG setting values to a Virtual Machine hosted in a vCenter instance.
#
# Requires the VMware PowerCLI modules to be installed:
#
# Install-Module -Name VMware.PowerCLI -AllowClobber
#>
# Script Variables
$3DEnabled = $false
# Get System Credentials
$VIServer = Read-Host -Prompt "Enter vCenter Server Name: "
$VMName = Read-Host -Prompt "Enter Virtual Machine Name: "
$VIUser = Read-Host -Prompt "Enter vCenter Server User Name: "
$VIPassword = Read-Host -Prompt "Password: " -MaskInput
# Connect to the vCenter
Connect-VIServer -Server $VIServer -User $VIUser -Password $VIPassword
# Clear the stored password
$VIPassword = $null
# Execute Lockdown Commands
Get-VM $VMName | New-AdvancedSetting -Name isolation.tools.copy.disable -Value true -Force -Confirm:$false
Get-VM $VMName | New-AdvancedSetting -Name isolation.tools.dnd.disable -Value true -Force -Confirm:$false
Get-VM $VMName | New-AdvancedSetting -Name isolation.tools.setGUIOptions.enable -Value false -Force -Confirm:$false
Get-VM $VMName | New-AdvancedSetting -Name isolation.tools.paste.disable -Value true -Force -Confirm:$false
Get-VM $VMName | New-AdvancedSetting -Name isolation.tools.diskShrink.disable -Value true -Force -Confirm:$false
Get-VM $VMName | New-AdvancedSetting -Name isolation.tools.diskWiper.disable -Value true -Force -Confirm:$false
Get-VM $VMName | New-AdvancedSetting -Name isolation.tools.hgfsServerSet.disable -Value true -Force -Confirm:$false
Get-VM $VMName | New-AdvancedSetting -Name isolation.tools.ghi.autologon.disable -Value true -Force -Confirm:$false
Get-VM $VMName | New-AdvancedSetting -Name isolation.tools.ghi.launchmenu.change -Value true -Force -Confirm:$false
Get-VM $VMName | New-AdvancedSetting -Name isolation.tools.memSchedFakeSampleStats.disable -Value true -Force -Confirm:$false
Get-VM $VMName | New-AdvancedSetting -Name isolation.tools.ghi.protocolhandler.info.disable -Value true -Force -Confirm:$false
Get-VM $VMName | New-AdvancedSetting -Name isolation.ghi.host.shellAction.disable -Value true -Force -Confirm:$false
Get-VM $VMName | New-AdvancedSetting -Name isolation.tools.ghi.trayicon.disable -Value true -Force -Confirm:$false
Get-VM $VMName | New-AdvancedSetting -Name isolation.tools.unity.disable -Value true -Force -Confirm:$false
Get-VM $VMName | New-AdvancedSetting -Name isolation.tools.unityInterlockOperation.disable -Value true -Force -Confirm:$false
Get-VM $VMName | New-AdvancedSetting -Name isolation.tools.unity.push.update.disable -Value true -Force -Confirm:$false
Get-VM $VMName | New-AdvancedSetting -Name isolation.tools.unity.taskbar.disable -Value true -Force -Confirm:$false
Get-VM $VMName | New-AdvancedSetting -Name isolation.tools.unityActive.disable -Value true -Force -Confirm:$false
Get-VM $VMName | New-AdvancedSetting -Name isolation.tools.unity.windowContents.disable -Value true -Force -Confirm:$false
Get-VM $VMName | New-AdvancedSetting -Name isolation.tools.vmxDnDVersionGet.disable -Value true -Force -Confirm:$false
Get-VM $VMName | New-AdvancedSetting -Name isolation.tools.guestDnDVersionSet.disable -Value true -Force -Confirm:$false
Get-VM $VMName | Get-CDDrive | Set-CDDrive -NoMedia -Confirm:$false
Get-VM $VMName | Get-USBDevice | Remove-USBDevice -Confirm:$false
Get-VM $VMName | Get-AdvancedSetting -Name RemoteDisplay.maxConnections | Set-AdvancedSetting -Value 1 -Confirm:$false
Get-VM $VMName | New-AdvancedSetting -Name RemoteDisplay.vnc.enabled -Value false -Force -Confirm:$false
Get-VM $VMName | New-AdvancedSetting -Name tools.setinfo.sizeLimit -Value 1048576 -Force -Confirm:$false
Get-VM $VMName | New-AdvancedSetting -Name isolation.device.connectable.disable -Value true -Force -Confirm:$false
Get-VM $VMName | New-AdvancedSetting -Name tools.guestlib.enableHostInfo -Value false -Force -Confirm:$false
Get-VM $VMName | Get-AdvancedSetting -Name sched.mem.pshare.salt | Remove-AdvancedSetting -Confirm:$false
Get-VM $VMName | Get-AdvancedSetting -Name tools.guest.desktop.autolock | Set-AdvancedSetting -Value true -Confirm:$false
# Only on Non-3D enabled VMs
Get-VM $VMName | New-AdvancedSetting -Name svga.vgaonly -Value true -Force -Confirm:$false
if (!$3DEnabled)
{
Get-VM $VMName | New-AdvancedSetting -Name mks.enable3d -Value false -Force -Confirm:$false
}
# End 3D hardening
# Disconnect from the vCenter Server
Disconnect-VIServer -Confirm:$false
That is it! I’m curious to hear your feedback on this script. I will also put one together to STIG an ESXi host as well.