By design, virtual machines (VMs) are isolated from other virtual machines. Part of the hardening process for each VM is to look at the security guidelines of the guest operating system for the VM.

Each VM has a .vmx file which is the main configuration file of a Virtual Machine. This file governs the behavior of the virtual hardware and contains many settings for the VM. There are two ways to view the parameters and values for the VM.

One way to view the config file, which is an .ascii file, is from a command line. In a Putty session, go to the directory containing the VM files:

# cd /vmfs/volumes/[storage]/[vm_name]/

[ storage] = the current datastore for the VM

[vm_name] = the name of the VM

Next, run a command ls to see the files in the VM’s encapsulated directory.

Now using command-line tools such as the vi editor, you can modify the VM’s .vmx config file. You can also use the vSphere Client to make additions or modifications to the VM’s configuration. You must restart the VM for most changes to take effect when you modify VM settings using this method.

Configuration settings can also be changed using the vSphere Client. Login to vCenter server or Esxi server and select the VM in question, right-click, and select Edit Settings > Options > General > Configuration Parameters (see below figure)

vmhd1

Limiting the Number of Consoles for the VM

By default, remote console sessions to a VM can be connected to by more than one user at a time. If an administrator is doing something from remote console, a non-administrator in the VM could connect to the console during the session and observe the administrator’s actions. Thus, to limit the number of entry points to a VM to a single point, you need to apply a security setting by adding the following line to the VM’s config file:

RemoteDisplay.maxConnections=”1″

This will limit the number of simultaneous console connection to 1.

Prevent Virtual Disk Shrinking

The shrinking of a virtual disk reclaims space in the virtual disk. If this process is done repeatedly, the virtual disk can become unavailable and cause a denial of service. To prevent shrinking of virtual disks for a VM add the below values in its .vmx file.

isolation.tools.diskWiper.disable=”TRUE”

isolation.tools.diskShrink.disable=”TRUE”

If these values are set to true in the VM’s config file, the administrator cannot shrink the disk:

Restrict Copy and Paste to a Remote Console from the Clipboard

After you install VMware tools into a VM, you have the ability to copy and paste between the guest operating system and the computer where the remote console is running. VMware recommends that you keep the copy-and-paste ability to the VM disabled.Enter the following values in Virtual machine config file to restrict copy paste:

isolation.tools.copy.disable=”TRUE”

isolation.tools.paste.disable=”TRUE”

This is disabled by default since vSphere 4.1.

Control Virtual Hardware Usage

Non-root users and processes within VMs have the ability to connect or disconnect devices, such as CD-ROM drives or a USB controller. One way to disable the virtual hardware is to simply remove the device from the VM. However, if you do not want to remove the device but still want to prevent a user or process from connecting to the device within the guest operating system, you can add these lines to the VM .vmx config file:

isolation.device.connectable.disable=”TRUE”

isolation.device.edit.disable=”TRUE”

Restrict the VMCI Interface

The Virtual Machine Communication Interface (VMCI) is designed to allow communication from VM to VM. The main objective of VMCI was to provide a socket based framework for a new generation of applications that will exist only on VMs. If VMCI is compromised, one VM could be used to attack another VM, so this value should be disabled, which is the default.

To display the status of VMCI, highlight the ESXi host, right-click the mouse, and select Edit Properties. The Virtual Machine Properties window displays, as shown in Figure 8-14. The Hardware tab lists all the hardware devices including the VMCI device, which is currently in the state of Unrestricted or disabled. See the below figure where VMCI is enabled:

vmhd2

Posted in: Vmware.
Last Modified: December 31, 2014

Leave a reply