One important caveat : the vm needs to be shut down when you run this script, as all the advanced settings are locked while the VM is running.
Param( [Parameter(Mandatory=$True,Position=1)] [string]$targetvm ) $vm = Get-VM $targetvm $vm |New-AdvancedSetting -name 'log.keepOld' -Value 10 -confirm:$false $vm |New-AdvancedSetting -name 'isolation.tools.ghi.launchmenu.change' -Value false -confirm:$false $vm |New-AdvancedSetting -name 'isolation.device.edit.disable' -Value false -confirm:$false $vm |New-AdvancedSetting -name 'isolation.tools.hgfsServerSet.disable' -Value false -confirm:$false $vm |New-AdvancedSetting -name 'isolation.toolsautoInstall.disable' -Value false -confirm:$false $vm |New-AdvancedSetting -name 'isolation.tools.unity.push.update.disable' -Value false -confirm:$false $vm |New-AdvancedSetting -name 'isolation.tools.disk.Wiper.disable' -Value false -confirm:$false $vm |New-AdvancedSetting -name 'isolation.tools.ghi.protocolhandler.info.disable' -Value false -confirm:$false $vm |New-AdvancedSetting -name 'RemoteDisplay.maxConnection' -Value 2 -confirm:$false $vm |New-AdvancedSetting -name 'isolation.tools.vmxDnDVersionGet.disable' -Value false -confirm:$false $vm |New-AdvancedSetting -name 'isolation.bios.bbs.disable' -Value false -confirm:$false $vm |New-AdvancedSetting -name 'isolation.unity.taskbar.disable' -Value false -confirm:$false $vm |New-AdvancedSetting -name 'isolation.tools.diskShrink.disable' -Value false -confirm:$false $vm |New-AdvancedSetting -name 'isolation.tools.unity.windowContents.disable' -Value false -confirm:$false $vm |New-AdvancedSetting -name 'isolation.tools.unityInterlockOperation.disable' -Value false -confirm:$false $vm |New-AdvancedSetting -name 'isolation.tools.ghi.trayicon.disable' -Value false -confirm:$false $vm |New-AdvancedSetting -name 'isolation.tools.vixMessage.disable' -Value false -confirm:$false $vm |New-AdvancedSetting -name 'isolation.tools.ghi.autologin.disable' -Value false -confirm:$false $vm |New-AdvancedSetting -name 'isolation.device.connectable.disable' -Value false -confirm:$false $vm |New-AdvancedSetting -name 'isolation.monitor.control.disable' -Value false -confirm:$false $vm |New-AdvancedSetting -name 'isolation.tools.memSchedFakeSampleStats.disable' -Value false -confirm:$false $vm |New-AdvancedSetting -name 'log.rotateSize' -Value 1024000 -confirm:$false $vm |New-AdvancedSetting -name 'isolation.tools.unityActive.disable' -Value false -confirm:$false $vm |New-AdvancedSetting -name 'isolation.tools.getCreds.disable' -Value false -confirm:$false $vm |New-AdvancedSetting -name 'isolation.ghi.shellAction.disable' -Value false -confirm:$false $vm |New-AdvancedSetting -name 'isolation.tools.trashFolderState.disable' -Value false -confirm:$false
so I wrote this with the parameter -targetvm as a parameter. Then I can call it on any subset of machines I choose such as Get-folder dev |get-vm |foreach-object {./vmsecurityupdate $_.name}
Most of the parameters above were recommended against "default build" VMs, so it is likely if you you ran the VROPs VM hardening alert you might see the same reccomendations. You may want more settings.. or maybe less depending many business factors. The easy way to plan your settings is to do a get-advancedsetting vmname |select * and find out what setting are important to you or your organization. My long term goal is to get this script into our build automation so every VM we push out would have an improved security posture.
I hope this helps out.
No comments:
Post a Comment