Some VMware Tools settings might expose security risks. For example, VMware Tools enables you to connect virtual devices such as serial and parallel ports to virtual machines. A connected device could be a potential channel of attack. To harden a virtual machine and reduce security risks as much as possible, disable the VMware Tools features that might be vulnerable to security threats.
For complete information about securely deploying VMware vSphere in a production environment, including security recommendations for hosts, virtual machines, management components, and a networking infrastructure, see the vSphere Hardening Guide. VMware Tools settings relate only to the virtual machine aspect of a deployment.
Virtual machines are encapsulated in a small number of files. One of the important files is the configuration file (.vmx file). This file governs the performance of the virtual hardware and other settings. You can use several methods to see and modify the configuration settings:
Open the .vmx file directly in a text editor.
Use the vSphere Web Client to edit virtual machine settings. In the vSphere Web Client, editing these configuration parameters is an advanced option in the virtual machine Edit Settings dialog box.
Use the vSphere Client to edit virtual machine settings. In the vSphere Client, editing these configuration parameters is an advanced option in the virtual machine Edit Settings dialog box.
Use a vSphere API-based tool, such as Power CLI, to view and modify .vmx parameters.
After you edit a setting, the change does not take effect until you restart the virtual machine.
Review the following list of potential security threats and the corresponding VMware Tools parameters to set in the virtual machine's .vmx file. The defaults for many of these parameters are already set to protect virtual machines from these threats.
Threats Associated with Unprivileged User Accounts
Disk shrinking feature
Shrinking a virtual disk reclaims unused disk space. Users and processes without root or administrator privileges can invoke this procedure. Because the disk-shrinking process can take considerable time to complete, invoking the disk-shrinking procedure repeatedly can cause a denial of service. The virtual disk is unavailable during the shrinking process. Use the following .vmx settings to disable disk shrinking:
isolation.tools.diskWiper.disable = "TRUE" isolation.tools.diskShrink.disable = "TRUE"
Copy and paste feature
By default, the ability to copy and paste text, graphics, and files is disabled, as is the ability to drag and drop files. When this feature is enabled, you can copy and paste rich text and, depending on the VMware product, graphics and files from your clipboard to the guest operating system in a virtual machine. That is, as soon as the console window of a virtual machine gains focus, nonprivileged users and processes running in the virtual machine can access the clipboard on the computer where the console window is running. To avoid risks associated with this feature, retain the following .vmx settings, which disable copying and pasting:
isolation.tools.copy.disable = "TRUE" isolation.tools.paste.disable = "TRUE"
Threats Associated with Virtual Devices
Connecting and modifying devices
By default, the ability to connect and disconnect devices is disabled. When this feature is enabled, users and processes without root or administrator privileges can connect devices such as network adapters and CD-ROM drives, and they can modify device settings. That is, a user can connect a disconnected CD-ROM drive and access sensitive information on the media left in the drive. A user can also disconnect a network adapter to isolate the virtual machine from its network, which is a denial of service. To avoid risks associated with this feature, retain the following .vmx settings, which disable the ability to connect and disconnect devices or to modify device settings:
isolation.device.connectable.disable = "TRUE" isolation.device.edit.disable = "TRUE"
Virtual Machine Communication Interface (VMCI) for ESXi 5.0 and Earlier
This setting applies to ESXi 5.0 and earlier virtual machines. It does not apply to ESXi 5.1 and later virtual machines.
If VMCI is not restricted, a virtual machine can detect and be detected by all others with the same option enabled within the same host. Custom-built software that uses this interface might have unexpected vulnerabilities that lead to an exploit. Also, a virtual machine could detect how many other virtual machines are within the same ESX/ESXi system by registering the virtual machine. This information could be used for a malicious objective. The virtual machine can be exposed to others within the system as long as at least one program is connected to the VMCI socket interface. Use the following .vmx setting to restrict VMCI:
vmci0.unrestricted = "FALSE"
Threats Associated with Virtual Machine Information Flow
Configuring virtual machine log number
Depending on your log settings, new log files might be created each time the old file is larger than 100KB. Uncontrolled logging can lead to denial of service if the datastore runs out of disk space. VMware recommends saving 10 log files. By default, the maximum size for log files is 100KB, and you cannot change that value at the virtual machine level. Use the following .vmx setting to set number of log files:
vmx.log.keepOld = "10"
You can limit the number of log files for all virtual machines on a host by editing the /etc/vmware/config file. If the
log.KeepOldproperty is not defined in the file, you can add it. For example, to keep ten log files for each virtual machine, add the following to /etc/vmware/config:
vmx.log.keepOld = "10"
You can also use a PowerCLI script to change this property on all the virtual machines on a host.
A more extreme strategy is to disable logging altogether for the virtual machine. Disabling logging makes troubleshooting challenging and support difficult. Do not consider disabling logging unless the log file rotation approach proves insufficient. Use the following .vmx setting to disable logging altogether:
logging = "FALSE"
VMX file size
By default the configuration file is limited to a size of 1MB because uncontrolled size for the file can lead to a denial of service if the datastore runs out of disk space. Informational messages are sometimes sent from the virtual machine to the .vmx file. These setinfo messages define virtual machine characteristics or identifiers by writing name-value pairs to the file. You might need to increase the size of the file if large amounts of custom information must be stored in the file. The property name is tools.setInfo.sizeLimit, and you specify the value in kilobytes. Retain the following .vmx setting:
tools.setInfo.sizeLimit = "1048576"
Sending performance counters into PerfMon
You can integrate virtual machine performance counters for CPU and memory into PerfMon for Microsoft Windows guest operating systems. This feature makes detailed information about the physical host available to the guest operating system. An adversary could potentially use this information to inform further attacks on the host. By default this feature is disabled. Retain the following .vmx setting to prevent host information from being sent to the virtual machine:
tools.guestlib.enableHostInfo = "FALSE"
This setting blocks some but not all metrics. If you set this property to FALSE, the following metrics are blocked:
Features not exposed in vSphere that could cause vulnerabilities
Because VMware virtual machines run in many VMware products in addition to vSphere, some virtual machine parameters do not apply in a vSphere environment. Although these features do not appear in vSphere user interfaces, disabling them reduces the number of vectors through which a guest operating system could access a host. Use the following .vmx setting to disable these features:
isolation.tools.unity.push.update.disable = "TRUE" isolation.tools.ghi.launchmenu.change = "TRUE" isolation.tools.ghi.autologon.disable = "TRUE" isolation.tools.hgfsServerSet.disable = "TRUE" isolation.tools.memSchedFakeSampleStats.disable = "TRUE" isolation.tools.getCreds.disable = "TRUE"