Hardening Virtual Machine Security

Securing virtual machines in a virtualized environment is equally important as securing physical servers. In this post we will learn a few techniques for hardening a virtual machine security. Although its not possible to cover everything in a single post. 

1: Remove Unnecessary Hardware Devices

If you have work inside a datacenter, you might have noticed none of the physical servers are equipped with CD RM/Floppy drive. This is done intentionally so that no one can use these removeable devices to perfor actions for which they are not authorized to.

Virtual machines are no different than physical servers and its equally important to make sure external devices are attached to a VM when its actually needed and as soon as work is completed, make sure to dismount/remove any Floppy drives or CD-ROM drives.

Force a VM to boot into Bios and disable any Serial ports, Parallel ports or Floppy disk controller.  When VM boot into BIOS go to Advanced > I/O Device Configuration and disable these devices.

boot-1.PNG

Edit settings of VM and remove the unnecessary removeable devices

removeable-devices.PNG

2: Disable Copy/Paste operation in Guest os and Remote console

By default copy/paste from remote console is disabled. If someone had enabled that in past, then you can disable it by editing VM settings and adding below configuration parameters:

  • isolation.tools.copy.disable: true
  • isolation.tools.paste.disable : true
  • isolation.tools.setGUIOptions.enable : false

vmoption-1.PNG

vmoption-2

3: Lock Guest OS and Minimize Use of Virtual Machine Console

A VM can be configured to lock the guest os when last remote user disconnects so that no other user can use remote console of VM without authentication.

To configure this, edit VM settings and go to VM Options and expand VMware Remote Console Options and check mark the box “Lock the guest operating system when the last remote user disconnects”  

Also from same console we can Limit the number of simultaneous connections to a virtual machine. Default is 40.

vmoption-3

4: Prevent a Virtual Machine User or Process from Disconnecting Devices

Users and processes without root or administrator privileges within virtual machines have the capability to connect or disconnect devices, such as network adaptors and CD ROM drives, and the ability to modify device settings. 

If you do not want to permanently remove a device, you can prevent a virtual machine user or process from connecting or disconnecting the device from within the guest operating system.

Right-click the virtual machine and click Edit Settings. Select VM Options and expand Advanced options and click Edit Configuration and add below strings and set their value to true

  • isolation.device.connectable.disable : true
  • isolation.device.edit.disable : true

5: Limit Informational Messages from Virtual Machines to VMX Files

Limit informational messages from the virtual machine to the VMX file to avoid filling the datastore and causing a Denial of Service (DoS). The configuration file containing the informational name-value pairs is limited to 1MB by default.

To change this value edit Settings of a VM and select VM options and expand Advanced options and click Edit Configuration and add parameter tools.setInfo.sizeLimit and set a fixed value

vmoption-4.PNG

6: Patch guest OS

Virtual machines should be patched from the OS level down to the VM layer the same as physical machines.

There are a lot of options around which you can play. To learn more about security hardening of a VM, please read vSphere 6.0 Security Guide and consult section Securing Virtual Machines

Additional Reading

Automating VM security Hardening

Best practices for securing virtual machines