Hello,

Another one to add would be to disable VIX from working....

My current list is:

tools.setinfo.sizeLimit => 1048576

isolation.tools.setInfo.disable => true

isolation.tools.connectable.disable => true

isolation.tools.diskshrink.disable => true

isolation.tools.diskwiper.disable => true

isolation.tools.copy.enable => false

isolation.tools.paste.enable => false

isolation.tools.setguioptions.enable => false

isolation.tools.setinfo.disable => true

isolation.tools.hgfs.disable => true

isolation.tools.getVersion.disable => true

isolation.tools.getMem.disable => true

isolation.tools.getMhz.disable => true

monitor_control.restrict_backdoor => true

isolation.tools.getVersion.disable => true

DISA also lists...but is not required and there are no real definitions for them within the guide (which is odd)... Check out http://www.sanbarrow.com for details on what they do.

isolation.device.edit.disable = “TRUE”

isolation.tools.commandDone.disable = “TRUE”

isolation.tools.getCreds.disable = “TRUE”

isolation.tools.guestCopyPasteVersionSet.disable = “TRUE”

isolation.tools.guestDnDVersionSet.disable = “TRUE”

isolation.tools.guestlibGuestInfo.disable = “TRUE”

isolation.tools.haltReboot.disable = “TRUE”

isolation.tools.haltRebootStatus.disable = “TRUE”

isolation.tools.hgfsServerSet.disable = “TRUE”

isolation.tools.imgCust.disable = “TRUE”

isolation.tools.memSchedFakeSampleStats.disable = “TRUE”

isolation.tools.runProgramDone.disable = “TRUE”

isolation.tools.unifiedLoop.disable = “TRUE”

isolation.tools.upgraderParameters.disable = “TRUE”

isolation.tools.vmxCopyPasteVersionGet.disable = “TRUE”

isolation.tools.vmxDnDVersionGet.disable = “TRUE”

Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs -- Top Virtualization Security Links -- Virtualization Security Round Table Podcast

Texiwill,

Do you know if these are case sensitive? Also, I've found that isolation.tools.copy.enable => false and isolation.tools.paste.enable => false don't always work but isolation.tools.copy.disable => true and isolation.tools.paste.disable => true does. Has anyone else experienced this?

I just created a new VM and the default advanced options are outlined below in the graphic. With these default settings in place I can cut and paste from my local PC, through a VIC opened console, and into the clipboard of a running VM. However, as I mentioned above, if I change the defaults to isolation.tools.copy.disable => true and isolation.tools.paste.disable => true, I am no longer able to cut and paste between my local PC and a VM via an opened VIC console.

________________________________

Jason D. Langdon

Hello,

Choose the ones that work. Many times VMware changes these settings or adds new ones without actually telling anyone. I will try to get someone to comment on this from inside VMware.

Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs -- Top Virtualization Security Links -- Virtualization Security Round Table Podcast

The disable versions of those command are the correct syntax.

See page for of the hardening guide. http://www.vmware.com/resources/techresources/726