Any enabled or connected device represents a potential attack channel. Users and processes with privileges on a virtual machine can connect or disconnect hardware devices, such as network adapters and CD-ROM drives. Attackers can use this capability to breach virtual machine security. Removing unnecessary hardware devices can help prevent attacks.

An attacker with access to a virtual machine can connect a disconnected hardware device and access sensitive information on media that is left in a hardware device. The attacker can potentially disconnect a network adapter to isolate the virtual machine from its network, resulting in a denial of service.
  • Do not connect unauthorized devices to the virtual machine.
  • Remove unneeded or unused hardware devices.
  • Disable unnecessary virtual devices from within a virtual machine.
  • Ensure that only required devices are connected to a virtual machine. Virtual machines rarely use serial or parallel ports. As a rule, CD/DVD drives are connected only temporarily during software installation.

Procedure

  1. Browse to the virtual machine in the vSphere Client inventory.
  2. Right-click the virtual machine and click Edit Settings.
  3. Disable hardware devices that are not required.
    Include checks for the following devices:
    • Serial ports
    • Parallel ports
    • USB controllers
    • CD-ROM drives
    Note: You must use PowerCLI commands to manage floppy drive devices in vSphere 7.0 and later.