Some VMware Tools settings might expose security risks. For example, VMware Tools enables you to connect virtual devices such as serial and parallel ports to virtual machines. A connected device might be a potential channel of attack. To harden a virtual machine and reduce security risks as much as possible, disable the VMware Tools features that might be vulnerable to security threats.

For complete information about securely deploying VMware vSphere in a production environment, including security recommendations for hosts, virtual machines, management components, and a networking infrastructure, see the vSphere Hardening Guide. VMware Tools settings relate only to the virtual machine aspect of a deployment.

Virtual machines are encapsulated in a small number of files. Of these, the configuration file (.vmx file) governs the performance of the virtual hardware and other settings. You can use several methods to see and modify the configuration settings:

  • Use the vSphere Web Client to edit virtual machine settings. In the vSphere Web Client, editing these configuration parameters is an advanced option in the virtual machine Edit Settings dialog box.

  • Use the vSphere Host Client to edit virtual machine settings. In the vSphere Host Client, editing these configuration parameters is an advanced option in the virtual machine Edit Settings dialog box.

  • Use a vSphere API-based tool, such as Power CLI, to view and modify .vmx parameters.

After you edit a setting, the change does not take effect until you restart the virtual machine.

You can eliminate several potential threats by setting parameters appropriately in the corresponding VMware Tools parameters to set in the virtual machine's .vmx file. The defaults for many of these parameters are already set to protect virtual machines from these threats.

Threats Associated with Unprivileged User Accounts

Copy and paste

By default, the ability to copy and paste text, graphics, and files is disabled, as is the ability to drag and drop files. When this option is enabled, you can copy and paste rich text, and depending on the VMware product, graphics and files from your clipboard to the guest operating system in a virtual machine. That is, when the console window of a virtual machine gains focus, nonprivileged users and processes running in the virtual machine can access the clipboard on the computer where the console window is running. To avoid risks associated with this feature, retain the following .vmx settings, which disable copying and pasting:

isolation.tools.copy.disable = "TRUE"
isolation.tools.paste.disable = "TRUE"

Threats Associated with Virtual Devices

Connecting and modifying devices

By default, the ability to connect and disconnect devices is disabled. When this feature is enabled, users and processes without root or administrator privileges can connect devices such as network adapters and CD-ROM drives, and they can modify device settings. That is, a user can connect a disconnected CD-ROM drive and access sensitive information on the media that is in the drive. A user can also disconnect a network adapter to isolate the virtual machine from its network, which is a denial of service. To avoid risks associated with this feature, retain the following .vmx settings, which disable the ability to connect and disconnect devices or to modify device settings:

isolation.device.connectable.disable = "TRUE"
isolation.device.edit.disable = "TRUE"

Threats Associated with Virtual Machine Information Flow

VMX file size

By default the configuration file is limited to a size of 1 MB because uncontrolled size for the file can lead to a denial of service if the datastore runs out of disk space. Informational messages are sometimes sent from the virtual machine to the .vmx file. These setinfo messages define virtual machine characteristics or identifiers by writing name-value pairs to the file. You might need to increase the size of the file if large amounts of custom information must be stored in the file. The property name is tools.setInfo.sizeLimit, and you specify the value in kilobytes. Retain the following .vmx setting:

tools.setInfo.sizeLimit = "1048576"

Sending performance counters into PerfMon

You can integrate virtual machine performance counters for CPU and memory into PerfMon for Linux and Microsoft Windows guest operating systems. This provides detailed information about the physical host available to the guest operating system. A malicious user could potentially use this information to perform further attacks on the host. By default this feature is disabled. Retain the following .vmx setting to prevent host information from being sent to the virtual machine:

tools.guestlib.enableHostInfo = "FALSE"

This setting blocks some but not all metrics. If you set this property to FALSE, the following metrics are blocked:

  • GUESTLIB_HOST_CPU_NUM_CORES

  • GUESTLIB_HOST_CPU_USED_MS

  • GUESTLIB_HOST_MEM_SWAPPED_MB

  • GUESTLIB_HOST_MEM_SHARED_MB

  • GUESTLIB_HOST_MEM_USED_MB

  • GUESTLIB_HOST_MEM_PHYS_MB

  • GUESTLIB_HOST_MEM_PHYS_FREE_MB

  • GUESTLIB_HOST_MEM_KERN_OVHD_MB

  • GUESTLIB_HOST_MEM_MAPPED_MB

  • GUESTLIB_HOST_MEM_UNMAPPED_MB

Features not exposed in vSphere that could cause vulnerabilities

Because VMware virtual machines run in many VMware products in addition to vSphere, some virtual machine parameters do not apply in a vSphere environment. Although these features do not appear in vSphere user interfaces, disabling them reduces the number of vectors through which a guest operating system could access a host. Use the following .vmx setting to disable these features:

isolation.tools.unity.push.update.disable = "TRUE"
isolation.tools.ghi.launchmenu.change = "TRUE"
isolation.tools.ghi.autologon.disable = "TRUE"
isolation.tools.hgfsServerSet.disable = "TRUE"
isolation.tools.memSchedFakeSampleStats.disable = "TRUE"
isolation.tools.getCreds.disable = "TRUE"