Any service that runs in a virtual machine provides the potential for attack. By deactivating system components that are not necessary to support the application or service that is running on the system, you reduce the attack potential.

Virtual machines do not usually require as many services or functions as physical servers. When you virtualize a system, evaluate whether a particular service or function is necessary.

Note: When possible, install guest operating systems using "minimal" or "core" installation modes to reduce the size, complexity, and attack surface of the guest operating system.

Procedure

  • Deactivate unused services in the operating system.
    For example, if the system runs a file server, turn off any Web services.
  • Disconnect unused physical devices, such as CD/DVD drives, floppy drives, and USB adapters.
  • Deactivate unused functionality, such as unused display features, or VMware Shared Folders, which enables sharing of host files to the virtual machine (Host Guest File System).
  • Turn off screen savers.
  • Do not run the X Window system on top of Linux, BSD, or Solaris guest operating systems unless it is necessary.