We do instal vnmware tools in our dmz guests.

You can limit what you install with the tools i/e no shared folders etc/

Why install. The repsonse is better for video the nic drivers etc. baloon driver. You also will be able to view performance counters with the tools installed.You can alway just copy the video and nic drivers into a guest and install them

Hello,

Moved to the Security and Compliance Forum.

Some of my colleagues are very wary of installing vmware tools on these dmz machines, as they could be a vulnerability.

I would first read through the Top Virtualization Links: ESX/ESXi for reference material on setting a DMZ.

Also the amount of guests running on the DMZ ESX won't be a great deal, so I don't think there will be any need for any of the funky memory ballooning/management stuff.

I thought the same, but if the ESX host ever does get overloaded or you need to overcommit VMs due to other issues, they will be invaluable. Balloon drivers are NOT a risk, the vmkernel zeros all memory assigned to VMs from any source.

1: How is everyone else doing this:

I install VMware Tools but change permissions so only an Administrator can access them.

2: Is it possible to compromise a guest, and then work your way back to ESX? I didn't think it was...

No. You can access the VMware Backdoor from within the VM and maybe get one or two bits of information, by design, from the host but nothing critical. Follow the guidelines in the VMware Hardening Guideline to limit access to the backdoor and use UAC or SELinux to deny access to the kernel device port from non-administrators.

3: Give me some good reasons to install vmware tools in the DMZ (please!)

You need VMware Tools in order to stop some VMs from within the VIC. If you do not have them, then normal power on/power off operations tend to fail. In addition, you can use VMware Tools to 'quiesce' the disk before backups, which make backups slightly cleaner. In addition, the best performance for networking often comes with a VMware Tools network driver.

VMware Tools are not a huge security risk. There is no way to use VMware Tools or the VMware Backdoor to Escape the VM. BTW, even without VMware Tools, the backdoor is STILL available, so you will need to still secure the VM.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

Blue Gears and SearchVMware Pro Blogs: http://www.astroarch.com/wiki/index.php/Blog_Roll

Top Virtualization Security Links: http://www.astroarch.com/wiki/index.php/Top_Virtualization_Security_Links