What type of advanced configurations are you implementing to secure your VM's from "backdoor" attacks?
I've read several on-line papers and blogs whic all bascally list the same dozen or so as Texiwill. While this is a great list, is this all of the .vmx hacks that are available?
________________________________
Jason D. Langdon
The DISA STIG has some duplicates and other new suggestions.
Hello,
Another one to add would be to disable VIX from working....
My current list is:
tools.setinfo.sizeLimit => 1048576
isolation.tools.setInfo.disable => true
isolation.tools.connectable.disable => true
isolation.tools.diskshrink.disable => true
isolation.tools.diskwiper.disable => true
isolation.tools.copy.enable => false
isolation.tools.paste.enable => false
isolation.tools.setguioptions.enable => false
isolation.tools.setinfo.disable => true
isolation.tools.hgfs.disable => true
isolation.tools.getVersion.disable => true
isolation.tools.getMem.disable => true
isolation.tools.getMhz.disable => true
monitor_control.restrict_backdoor => true
isolation.tools.getVersion.disable => true
DISA also lists...but is not required and there are no real definitions for them within the guide (which is odd)... Check out http://www.sanbarrow.com for details on what they do.
isolation.device.edit.disable = “TRUE”
isolation.tools.commandDone.disable = “TRUE”
isolation.tools.getCreds.disable = “TRUE”
isolation.tools.guestCopyPasteVersionSet.disable = “TRUE”
isolation.tools.guestDnDVersionSet.disable = “TRUE”
isolation.tools.guestlibGuestInfo.disable = “TRUE”
isolation.tools.haltReboot.disable = “TRUE”
isolation.tools.haltRebootStatus.disable = “TRUE”
isolation.tools.hgfsServerSet.disable = “TRUE”
isolation.tools.imgCust.disable = “TRUE”
isolation.tools.memSchedFakeSampleStats.disable = “TRUE”
isolation.tools.runProgramDone.disable = “TRUE”
isolation.tools.unifiedLoop.disable = “TRUE”
isolation.tools.upgraderParameters.disable = “TRUE”
isolation.tools.vmxCopyPasteVersionGet.disable = “TRUE”
isolation.tools.vmxDnDVersionGet.disable = “TRUE”
Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs -- Top Virtualization Security Links -- Virtualization Security Round Table Podcast
Texiwill,
Do you know if these are case sensitive? Also, I've found that isolation.tools.copy.enable => false and isolation.tools.paste.enable => false don't always work but isolation.tools.copy.disable => true and isolation.tools.paste.disable => true does. Has anyone else experienced this?
I just created a new VM and the default advanced options are outlined below in the graphic. With these default settings in place I can cut and paste from my local PC, through a VIC opened console, and into the clipboard of a running VM. However, as I mentioned above, if I change the defaults to isolation.tools.copy.disable => true and isolation.tools.paste.disable => true, I am no longer able to cut and paste between my local PC and a VM via an opened VIC console.
________________________________
Jason D. Langdon
Hello,
Choose the ones that work. Many times VMware changes these settings or adds new ones without actually telling anyone. I will try to get someone to comment on this from inside VMware.
Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs -- Top Virtualization Security Links -- Virtualization Security Round Table Podcast
The disable versions of those command are the correct syntax.
See page for of the hardening guide. http://www.vmware.com/resources/techresources/726