VMware ESXi Host Base Hardening

EsxiHostHardening.ps1

foreach ($VMhost in (Get-VMHost))
{
    #Stop SSH Service
    $ServiceList = Get-VMHostService -VMhost $VMhost
    $SSHservice = $ServiceList | Where-Object {$_.Key -eq "TSM-SSH"}
    If ($SSHservice.Running -eq $true) {Stop-VMHostService -HostService $SSHService -Confirm:$false}
    else {Write-Output "SSH Server on host $VMhost is Stopped"}
    $Shellservice = $ServiceList | Where-Object {$_.Key -eq "TSM"}
    If ($Shellservice.Running -eq $true) {Stop-VMHostService -HostService $Shellservice -Confirm:$false}
    else {Write-Output "Shell Server on host $VMhost is Stopped"}
 
    #Enable Shell Warning
    $VMHost | Get-AdvancedSetting -Name UserVars.SuppressShellWarning | Set-AdvancedSetting -Value 0 -Confirm:$False
 
    #Enable Lockdown Mode
    $HostView = $VMHost  | Get-VIEvent
    if (($HostView).config.LockdownMode -eq "lockdownNormal"){ ($HostView).EnterLockdownMode()}
    else {Write-Output "LockdownMode on host $VMhost is Enabled"}
 
 
    #Set Timeouts
    $VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellInteractiveTimeOut | Set-AdvancedSetting -Value 900 -Confirm:$False
    $VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellTimeOut | Set-AdvancedSetting -Value 900 -Confirm:$False
    $VMHost | Get-AdvancedSetting -Name Security.AccountLockFailures | Set-AdvancedSetting -Value 3 -Confirm:$False
    $VMHost | Get-AdvancedSetting -Name UserVars.DcuiTimeOut | Set-AdvancedSetting -Value 600 -Confirm:$False
    $VMHost | Get-AdvancedSetting -Name Security.AccountUnlockTime | Set-AdvancedSetting -Value 900 -Confirm:$False
 
    #Enable BPDU filter
    $VMHost | Get-AdvancedSetting -Name Net.BlockGuestBPDU | Set-AdvancedSetting -Value 1 -Confirm:$False
}