To secure your virtual machines, keep the guest operating systems patched and protect your environment just as you protect your physical machine. Consider disabling unnecessary functionality, minimize the use of the virtual machine console, and follow other best practices.
- Protect the guest operating system
- To protect your guest operating system, make sure that it uses the most recent patches and, if appropriate, anti-spyware and anti-malware applications. See the documentation from your guest operating system vendor and, potentially, other information available in books or on the Internet for that operating system.
- Disable unnecessary functionality
- Check that unnecessary functionality is disabled to minimize potential points of attack. Many of the features that are used infrequently are disabled by default. Remove unnecessary hardware and disable certain features such as host-guest filesystem (HGFS) or copy and paste between the virtual machine and a remote console.
- Use templates and scripted management
- Virtual machine templates enable you to set up the operating system so that it meets your requirements, and to create other VMs with the same settings.
- Minimize use of the virtual machine console
-
The virtual machine console provides the same function for a virtual machine that a monitor on a physical server provides. Users with access to a virtual machine console have access to virtual machine power management and to removable device connectivity controls. As a result, virtual machine console access might allow a malicious attack on a virtual machine.
- Consider UEFI secure boot
- Starting with vSphere 6.5, you can configure your virtual machine to use UEFI boot. If the operating system supports secure UEFI boot, you can select that option for your VMs for additional security. See Enable or Disable UEFI Secure Boot for a Virtual Machine.
- Consider VMware AppDefense
- Starting with vSphere 6.7 Update 1, you can install and use the VMware AppDefense plug-in to protect your applications and ensure endpoint security. The AppDefense plug-in becomes available with the vSphere Platinum license. If you have the Platinum license, the AppDefense panel appears on the Summary tab for any virtual machine in your inventory. From that panel, you can install, upgrade, or view details about the AppDefense plug-in. For more information about VMware AppDefense, see the AppDefense documentation.