To run the VxRail hardening scripts and manual procedures, configure a system located on the same network as the servers that will be hardened with the following:
- Microsoft PowerShell
- An SSH client such as PuTTY
- The PuTTY Plink executable is required as an installed application or available on a local or network drive as a stand-alone executable.
- Web browser
- A secure copy utility such as WinSCP
During a secure copy file transfer between a Windows system and a Linux system, the Carriage Return (CR, ) versus Line Feed (LF, \n) character issue may occur. Ensure that you have the correct file transfer setting to handle the file transfer appropriately.
Enable PowerShell to run Dell script
To enable PowerShell to run the Dell scripts, you must set the execution policy. To set the execution policy, enter the following command in the PowerShell window:
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope LocalMachine
Install VMware.PowerCLI
Ensure that the PowerShell VMware.PowerCLI module is installed on a system with connectivity to the SUH before beginning configurations that use PowerCLI commands or scripts. Installation requires internet connectivity, access to the PowerShell Gallery website, and registration of the PowerShell Gallery as a local repository.
To install the VMware.PowerCLI module, open an elevated Windows PowerShell command window and enter:
Install-Module Vmware.PowerCLI –Scope CurrentUser
Install the SSO Admin module
The VMware.vSphere.SsoAdmin module must be installed explicitly. This module is required for hardening the VMware vCenter Server Appliance VM in VxRail 7.x.
To install the SSO Admin module, open an elevated Windows PowerShell command window and enter:
Install-Module -Name VMware.vSphere.SsoAdmin
To verify the installation status of the VMware modules, enter:
Get-Module -Name VMware.* -ListAvailable
Install Plink
The PuTTY Plink executable is required. Plink enables PowerShell scripts to set up an SSH connection to a host and run host commands. The VxRail STIG hardening script uses Plink to run commands on the VxRail nodes. For other operations that require SSH use an SSH client that is approved by your organization.
There are two ways to use Plink:
- Plink is a companion utility of PuTTY. Typical installations of PuTTY include plink.exe by default in the
C:\Program Files\PuTTY
directory. - Plink can also be a stand-alone executable. To use Plink as a stand-alone executable, update the default path in the script file to the path on your workstation.
Set the PowerShell options
If you have not yet installed DOD-approved certificates on the systems to be hardened, to eliminate certificate prompts for action during this PowerCLI session, enter:
Get-PowerCLIConfiguration
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -Confirm:$false
PowerCLI prompts you to confirm actions (default = “Y” to proceed) when running the scripts. To reduce prompts for action during a PowerCLI session, enter:
$ConfirmPreference = "None"
Validate the integrity of the VxRail STIG Hardening package contents
The README.txt that is contained in the .zip archive of the downloaded VxRail STIG Hardening Package provides SHA256 cryptographic hashes of the files in the VxRail STIG Hardening package.
- Extract the VxRail STIG Hardening Package to the following location:
C:\Users\<username>\Downloads
. - Open an elevated Windows PowerShell prompt.
- Go to the extracted package by entering:
Set-Location C:\Users\<username>\Downloads\VxRail_STIG_Hardenging_Package_<version>
- Generate the SHA256 hashes by entering:
Get-FileHash -Algorithm SHA256 *
- Verify that the results match the hashes that are provided in the README.txt file.