These security controls provide a baseline set of guest operating system best practices. They are structured in a way that explains the benefits and tradeoffs of implementing the control. To make changes to these controls, use either the PowerCLI provided or the vSphere Client.
Variable Used
The PowerCLI commands in this section use the following variable:
- $VM = "virtual_machine_name"
VMware Tools Path
The default installation path for VMware Tools is C:\Program Files\VMware\VMware Tools.
Configure Guest Operating System Secure Boot
The guest operating system must enable Secure Boot.
Secure Boot, supported by all modern guest operating systems, uses public key cryptography to validate firmware, boot loader, drivers, and OS kernel. By preventing system booting with uncertain boot chain validity, Secure Boot effectively restricts malware.
- Potential Functional Impact if Default Value Is Changed
- Enabling Secure Boot after installing a guest operating system might involve more steps. Refer to your guest operating system documentation for instructions.
- PowerCLI Command Assessment
-
(Get-VM -Name $VM).ExtensionData.Config.BootOptions.EfiSecureBootEnabled
- PowerCLI Command Remediation Example
-
$VMobj = (Get-VM -Name $VM) $ConfigSpec = New-Object VMware.Vim.VirtualMachineConfigSpec $bootOptions = New-Object VMware.Vim.VirtualMachineBootOptions $bootOptions.EfiSecureBootEnabled = $true $ConfigSpec.BootOptions = $bootOptions $task = $VMobj.ExtensionData.ReconfigVM_Task($ConfigSpec)
Limit the Use of MSI Transforms
The guest operating must limit the use of MSI transforms when reconfiguring VMware Tools.
MSI transforms allow the installation database on Microsoft Windows guest operating systems to be changed. This can be helpful but also presents an opportunity to alter the security profile of the guest operating system from vSphere.
- Potential Functional Impact if Default Value Is Changed
- Administrators must use other methods to update and reconfigure VMware Tools when needed.
Deactivate Appinfo
The guest operating system must deactivate Appinfo information gathering unless required.
Appinfo is a method to do application discovery through VMware Tools. If you are not using this tool, deactivate the module to reduce attack surface.
- Values
- Installation Default Value Value: False
- Action Needed
- Modify the installation default.
- Potential Functional Impact if Default Value Is Changed
- Products and services within the VMware ecosystem might require this functionality.
- PowerCLI Command Assessment
-
VMwareToolboxCmd.exe config get appinfo disabled
Deactivate ContainerInfo
The guest operating system must deactivate ContainerInfo unless required.
The VMware Tools ContainerInfo plug-in for Linux gathers the list of running containers inside a Linux guest operating system.
Deactivate Guest Operations
Deactivate Guest Operations unless required.
Guest Operations are a set of functions that underpin most host-to-guest interaction. Deactivating them reduces attack surface but also drastically reduces functionality. Ensure that your environment does not require these functions. Do not deactivate guest operations on template virtual machines.
For a list of functions see the following documentation:
Prevent Guest Operating System Recustomization
You must prevent the guest operating system on deployed and customized virtual machines from being recustomized.
The virtual machine deployment process offers many options for vSphere administrators to customize virtual machines by using scripts and running commands. These customization approaches can also be an avenue for an adversary to gain access to data inside a virtual machine, through cloning and recustomization. After deploying a virtual machine, prevent it from being customized again. You can always revert this change.
- Values
- Installation Default Value: True
- Action Needed
- Modify the installation default.
- Potential Functional Impact if Default Value Is Changed
- Once set, virtual machines are able to be customized when they are cloned. Do not make this change on template virtual machines.
- PowerCLI Command Assessment
-
VMwareToolboxCmd.exe config get deployPkg enable-customization
- PowerCLI Command Remediation Example
-
VMwareToolboxCmd.exe config set deployPkg enable-customization false
Deactivate GuestStore Upgrade Operations
The guest operating must deactivate GuestStore Upgrade operations unless required.
The GuestStore feature provides a simple and flexible mechanism to distribute VMware-specific or custom content from a GuestStore repository to multiple guests simultaneously. If you are not using this feature, deactivate the plug-in to reduce the attack surface.
Deactivate Service Discovery
The guest operating system must deactivate Service Discovery unless required.
The VMware Tools Service Discovery plug-in connects to Aria Operations and provides additional data to that product about guest operating systems and workloads. If you are not using this feature, deactivate the plug-in to reduce the attack surface.
Activate VMware Tools Logging
The guest operating system must enable VMware Tools logging.
Ensure that VMware Tools logs information as appropriate. See https://github.com/vmware/open-vm-tools/blob/master/open-vm-tools/tools.conf for examples.
Send VMware Tools Logs to System Log Service
The guest operating system must send VMware Tools logs to the system log service.
By default, VMware Tools sends logs to a file on disk. Configure logs to be sent to syslog on Linux guests, and to the Windows Event Service on Microsoft Windows guests, for management and central archiving.
- Potential Functional Impact if Default Value Is Changed
- Update the processes that rely on these files being in the default location.
- PowerCLI Command Assessment
-
VMwareToolboxCmd.exe config get logging vmsvc.handler VMwareToolboxCmd.exe config get logging toolboxcmd.handler VMwareToolboxCmd.exe config get logging vgauthsvc.handler VMwareToolboxCmd.exe config get logging vmtoolsd.handler
Ensure That VMware Tools Version Is Up-To-Date
The guest operating system must ensure that VMware Tools are up-to-date.
VMware Tools are an important part of the VMware ecosystem. Using VMware Tools, you can perform guest operating system administration, such as:
- Graceful shutdown
- Lifecycle management
- Getting drivers for paravirtualized devices
- Customizing and deploying virtual machine templates
As with all software, you must manage and update VMware Tools as needed. Ensure that you are running a supported version for your guest operating system, whether it is delivered as part of the Linux distribution or installed by you for Microsoft Windows.
- Values
- Installation Default Value: N/A
- Action Needed
- Audit the installation default value.
- Potential Functional Impact if Default Value Is Changed
- None
- PowerCLI Command Assessment
-
Get-VM -Name $VM | Select-Object -Property Name,@{Name='ToolsVersion';Expression={$_.Guest.ToolsVersion}}
- PowerCLI Command Remediation Example
- Site-Specific. Multiple ways exist to update VMware Tools. Drivers for VMXNET3 and PVSCSI are also available through Windows Update, so ensure that you import them into tools such as WSUS.
- Setting Location in the vSphere Client
Deactivate GlobalConf
The guest operating system must deactivate GlobalConf unless required.
The GlobalConf feature of VMware Tools provides the capability to push tools.conf file configurations to virtual machines.
Limit Automatic Renewal of VMware Tools Features
The guest operating system must limit the automatic removal of VMware Tools features.
VMware Tools automatic upgrade processes can add or remove features from the VMware Tools installation, which can be helpful but also presents an opportunity to alter the security profile of the guest operating system from vSphere.
- Potential Functional Impact if Default Value Is Changed
- Administrators need to use other methods to update and reconfigure VMware Tools when needed.
Configure VMware Tools for Automatic Upgrades
The guest operating system must configure automatic VMware Tools upgrades as appropriate for the environment.
VMware Tools updates can be initiated by vSphere, which can be helpful for maintaining current VMware Tools versions. If you manage and update VMware Tools in other ways, deactivate this functionality. In general, leave automatic updates activated.
Verify the Virtual Machine Hardware Version
The guest operating system must ensure that virtual machine hardware is version 19 or newer where supported.
Virtual machine hardware 19 is compatible with ESXi 7.0 Update 2 and later. Newer versions of virtual machine hardware enable new features and better performance. Consider upgrading to virtual machine hardware 20 if you are fully updated to vSphere 8.0 or later. As always, use caution when upgrading, and fully test the upgrade process before rolling out system-wide.
Consider all the locations where a virtual machine might run, or where you might need to restore the virtual machine. For example, users of the VMware Cloud Disaster Recovery service need to consider the vSphere levels of potential recovery SDDCs. While VMware Cloud runs atop vSphere, it might not have the same supported virtual hardware versions available.
Changes to the configuration of VMware-supplied virtual appliances are not supported and might cause service disruptions.
- Values
- Installation Default Value: Site-specific
- Action Needed
- Modify the installation default value.
- Potential Functional Impact if Default Value Is Changed
- Changing virtual machine hardware versions changes device versions inside the guest, which might have repercussions. Always test upgrading virtual hardware versions, and remember that snapshots capture the virtual machine version, too, so that you can revert versions if necessary.
- PowerCLI Command Assessment
-
(Get-VM -Name $VM | Get-View) | Select-Object -Property Name,@{Name='HW Version';Expression={$_.Config.Version}}
- PowerCLI Command Remediation Example
-
Set-VM -VM $VM -HardwareVersion vmx-19
