These security controls provide a baseline set of virtual machine security best practices. They are structured in a way that explains the benefits and tradeoffs of implementing the control. To change advanced system settings, you can use either the PowerCLI provided, or the vSphere Client ().
Variable Used
The PowerCLI commands in this section use the following variable:
- $VM = "virtual_machine_name"
mks.enable3d
Deactivates 3D graphics features on virtual machines that do not need them to reduce potential attack vectors, enhancing overall system security.
ethernet*.filter*.name
Limits access to virtual machines through the "dvFilter" network API.
The dvFilter interface is used by tools like NSX to filter and inspect network traffic. Other tools might use it, too. Ensure that those tools are authorized.
Prevent Virtual Machines Booting from Unauthorized Sources
Virtual machines must prevent booting from unauthorized sources.
Unauthorized access to a virtual machine might occur when its primary boot volume is unavailable, and the EFI firmware seeks alternative boot sources, such as network boot. This can be mitigated through network controls, as well as with the advanced parameters bios.bootDeviceClasses, bios.bootOrder, and bios.hddOrder.
bios.bootDeviceClasses has the format "allow:XXXX" or "deny:XXXX," where XXXX is a comma-delimited list of boot classes. Boot classes are net (network PXE boot), usb (from attached USB devices); pcmcia (PCMCIA expansion cards, not used at present); cd (from attached virtual CD/DVD devices); hd (from attached virtual hard disks); fd (from attached virtual floppy devices); reserved (from unknown devices); efishell (into the EFI shell); and all, or any (same as all).
- deny:all disallows all boot classes
- deny:net disallows network boot but allows all others
- allow:hd allows only hd boot and denies all others
- allow:hd,cd allows hd then cd device boot and denies all others
New virtual machines might require CD/DVD boot, and some dynamic environments, such as labs, might use network boot. Set those environments accordingly and document your rationale.
- Potential Functional Impact if Default Value Is Changed
- The virtual machine can no longer boot from unspecified sources, which might negatively impact situations where PXE boot or recovery media is required. However, the parameter is easily changed at scale through PowerCLI. An alternate approach is to specify denied methods, such as "deny:net".
RemoteDisplay.maxConnections
Limits the number of console connections to a virtual machine.
Limiting virtual machine console sharing to one user prevents multiple observers, thus enhancing security. However, this might inadvertently create a potential pathway for service denial.
- Potential Functional Impact if Default Value Is Changed
- Might create a denial-of-service condition where the console is unusable because the one user is connected, or a disconnected console session persists. Other products, such as VMware Cloud Director, might require that you set this option to a greater value.
Limit PCI Device Passthrough Functionality
Virtual machines must limit PCI device passthrough functionality.
DirectPath I/O features enable virtual machines to directly access system hardware, impacting risk mitigation tools like vMotion, DRS, and High Availability. DirectPath I/O features also potentially give attackers privileged hardware access. Ensure that only necessary virtual machines have this privilege, compensating with guest operating system security controls.
Remove Unnecessary Virtual Machine Virtual Hardware Devices
Virtual machines must remove unnecessary virtual hardware.
To reduce potential attack surfaces, eliminate unnecessary virtual hardware from virtual machines. Rarely-used ports, temporary CD/DVD drives, and hardware introduced by migrations could be vulnerable. Removing these decreases the risk of software introduction or data exfiltration from a protected environment.
- Potential Functional Impact if Default Value Is Changed
- Removing the CD-ROM device might impact VMware Tools installation and maintenance. Removing XHCI controllers might impact console keyboard and mouse connectivity for some guest operating systems.
- PowerCLI Command Assessment
-
$VMview = Get-VM -Name $VM | Get-View $UnnecessaryHardware = "VirtualUSBController|VirtualUSBXHCIController|VirtualParallelPort|VirtualFloppy|VirtualSerialPort|VirtualHdAudioCard|VirtualAHCIController|VirtualEnsoniq1371|VirtualCdrom" $VMview.Config.Hardware.Device | Where-Object {$_.GetType().Name -match $UnnecessaryHardware} | Foreach-Object { $devname = $_.GetType().Name Write-Host "$VM`: [WARNING] VM has a $devname device. Please evaluate and consider removing." -ForegroundColor Yellow }
tools.guestlib.enableHostInfo
Prevents virtual machines from obtaining host information about the hypervisor.
Preventing virtual machines from obtaining host information about the hypervisor mitigates risk of advanced attacks, as it denies adversaries crucial details about the physical host.
Set Encryption for Fault Tolerance
Virtual machines must require encryption for Fault Tolerance.
Requiring encryption for Fault Tolerance in virtual machines ensures secure data transmission. While the default 'opportunistic' encryption likely results in encryption due to ubiquitous AES-NI support in vSphere-compatible hardware, enforcing 'required' encryption guarantees no unencrypted operations.
- PowerCLI Command Remediation Example
-
$VMview = Get-VM -Name $VM | Get-View $ConfigSpec = New-Object VMware.Vim.VirtualMachineConfigSpec $ConfigSpec.FtEncryptionMode = New-object VMware.Vim.VirtualMachineConfigSpecEncryptedFtModes $ConfigSpec.FtEncryptionMode = "ftEncryptionRequired" $VMview.ReconfigVM_Task($ConfigSpec)
isolation.tools.copy.disable
Deactivates console copy operations on virtual machines.
Deactivating console copy operations on virtual machines prevents data copying between the virtual machine and the local client, regardless of whether the user is accessing through the Web Console, VMRC, or another method.
- Values
- Installation Default Value: True
- Action Needed
- Audit the installation default value.
- Potential Functional Impact if Default Value Is Changed
- None
- PowerCLI Command Assessment
-
Get-VM -Name $VM | Get-AdvancedSetting isolation.tools.copy.disable
isolation.tools.paste.disable
Deactivates console paste operations on virtual machines.
By disabling console paste operations on virtual machines, data transfer from the local client to the virtual machine is blocked, whether the user is using the Web Console, VMRC, or another console.
isolation.tools.diskShrink.disable
Deactivates virtual disk shrinking on virtual machines.
Disabling virtual disk shrinking on virtual machines helps avoid disk unavailability issues. The ability to perform this operation is typically limited for non-administrative users in the guest environment.
isolation.tools.diskWiper.disable
Deactivates virtual disk wiping operations on virtual machines.
Disabling virtual disk wiping on virtual machines helps avoid disk unavailability issues. The ability to perform this operation is typically limited for non-administrative users in the guest environment.
isolation.device.connectable.disable
Prevents virtual machines from unauthorized removal, connection, and modification of devices.
Preventing unauthorized device modifications in virtual machines blocks non-administrative users or processes from connecting, disconnecting, or adjusting device settings. This measure curbs unauthorized access and operation disruption, reducing denial of service risks, as well as some avenues for exfiltrating data.
isolation.tools.dnd.disable
Deactivates drag and drop operations on virtual machine consoles.
Deactivating drag and drop operations in the console of a virtual machine stops users from transferring data between the virtual machine and the local client, regardless of the console type, thus enhancing data security.
tools.setInfo.sizeLimit
Limits the informational messages passed from the virtual machine to the VMX file.
Limiting virtual machine informational messages to the VMX file prevents it from exceeding its default size of 1 MB. This option prevents potential denial of service situations that could arise if the datastore becomes full.
Activate Logging
Virtual machines must activate diagnostic logging.
Diagnostic logging for virtual machines helps with forensics and troubleshooting.
log.keepOld
Limits the number of retained virtual machine diagnostic logs.
By restricting the quantity of retained diagnostic logs, you avoid filling up the datastore without compromising diagnostic functionality.
log.rotateSize
Limits the size of virtual machine diagnostic logs.
Limiting the size of diagnostic logs on virtual machines prevents excessive space consumption, particularly on long-running virtual machines. The recommended minimum limit is 2 MB.
tools.guestlib.enableHostInfo
Deactivates the ability to send host information to guests.
By configuring a virtual machine to get detailed information about the physical host, an adversary could potentially use this information to inform further attacks on the host. As the default is the desired state, you can audit by verifying that this setting is either unset, or if it is set, that it is set to False.
tools.guest.desktop.autolock
Locks the virtual machine guest session when the remote console is disconnected.
Locking virtual machines when the last console connection closes can prevent potential unauthorized access from attackers exploiting logged-in console sessions.
Activate Encryption for vMotion
Virtual machines must require encryption for vMotion.
Requiring encryption for vMotion in virtual machines guarantees secure data transfer. The default 'opportunistic' encryption likely results in encryption due to widespread AES-NI support in vSphere-compatible hardware. However, enforcing 'required' encryption prevents any unencrypted operations.
- PowerCLI Command Remediation Example
-
$VMview = Get-VM -Name $VM | Get-View $ConfigSpec = New-Object VMware.Vim.VirtualMachineConfigSpec $ConfigSpec.MigrateEncryption = New-Object VMware.Vim.VirtualMachineConfigSpecEncryptedVMotionModes $ConfigSpec.MigrateEncryption = "required" $VMview.ReconfigVM_Task($ConfigSpec)
