Any enabled or connected device represents a potential attack channel. Users and processes without privileges on a virtual machine can connect or disconnect hardware devices, such as network adapters and CD-ROM drives. Attackers can use this capability to breach virtual machine security. Removing unnecessary hardware devices can help prevent attacks.
- Ensure that unauthorized devices are not connected and remove any unneeded or unused hardware devices.
- Disable unnecessary virtual devices from within a virtual machine. An attacker with access to a virtual machine can connect a disconnected CD-ROM drive and access sensitive information on the media left in the drive, or disconnect a network adapter to isolate the virtual machine from its network, resulting in a denial of service.
- Ensure that no device is connected to a virtual machine if it is not required. Serial and parallel ports are rarely used for virtual machines in a datacenter environment, and CD/DVD drives are usually connected only temporarily during software installation.
- For less commonly used devices that are not required, either the parameter should not be present or its value must be false. Ensure that the following parameters are either not present or set to false unless the device is required.
Parameter Value Device floppyX.present false floppy drives serialX.present false serial ports parallelX.present false parallel ports usb.present false USB controller ideX:Y.present false CD-ROM