VMware Cloud Community
Schorschi
Expert
Expert
‎01-22-2015 02:41 PM

Disable USB support on ESXi OS or BIOS, both?

We have a requirement to disable USB support on all servers.  This is regardless of the OS installed, and I am not talking about VMs, but we have already disabled all USB support on all VMs as well.  We are considering disable of USB support at the BIOS level, and VMware documentation on USB disable at ESXi OS level is a gap based on our research thus far.  If we remove the USB vibs from the ESXi OS installation and/or BIOS level disablement, we believe the following issues result:

1) KVM (Keyboard, Video, Mouse) at physical console (i.e. DCUI) impacted

2) Service Processor (i.e. HP iLO, Dell iDRAC, etc.) features lost for some OEMs, we may lose firmware updating or virtual device media support

3) USB device support to VM lost, not a big deal for us, fortunately

4) USB storage device support lost, this is not a big deal for us, fortunately

5) Acknowledge that only SSH access will be possible to ESXi directly, ESXi will be in effect headless, will HID (Human Input Device) lacking, for some configurations if not all, as noted above

Via additional testing, we discovered that direct vib remove of USB support, via SSH, on a live ESXi OS instance can be intrusive, at least one system, one test, SSH connection immediately disconnected, and SSH connection could not be re-established, and since DCUI and Service Processor console access was lost at vib removal as well, the ESXi OS instance was secured, but useless, in any practical sense.  Obviously we have some more testing to do, but this was a surprise!

Has anyone else done this?  Are there other issues, concerns of note?

5 Replies
DavoudTeimouri
Virtuoso
Virtuoso
‎01-22-2015 11:30 PM

Hi,

On ESXi 4.1 and higher, the USB arbitrator service takes control of local USB devices and passes them through for use by virtual machines.

So no one can access to your USB via ESXi shell when usbarbitrator is running.

You should stop this service for accessing to USB.

If you blocked USB ports on VMs and you have strong password and security on ESXi, you have no concern about USB.

-------------------------------------------------------------------------------------
Davoud Teimouri - https://www.teimouri.net - Twitter: @davoud_teimouri Facebook: https://www.facebook.com/teimouri.net/
peetz
Leadership
Leadership
‎01-23-2015 06:22 AM

So you discovered that disabling all USB support on your ESXi hosts (and probably also on other physically installed OSs like Windows) prevents you from using USB connected keyboards and mice (both the physically connected ones, but also the "virtual" ones from HP iLO etc.)?

That is not surprising ... and there is an easy solution: Don't do it.

I think it's time to tell your security guys that this requirement may be useful with physical Windows workstations, but not when dealing with virtualization hosts.

How about putting glue in all the unused USB ports, so nobody can stick anything bad in there?

Twitter: @VFrontDe, @ESXiPatches | https://esxi-patches.v-front.de | https://vibsdepot.v-front.de
peetz
Leadership
Leadership
‎01-23-2015 06:49 AM

Okay, seriously ...

You could disable the usb-storage module by using

   esxcli system module set -m usb-storage -e false

( followed by

  vmkload_mod -u usb-storage

or a reboot to make the change effective )

This would prevent the usage of any USB storage devices without affecting KVM.

Twitter: @VFrontDe, @ESXiPatches | https://esxi-patches.v-front.de | https://vibsdepot.v-front.de
Schorschi
Expert
Expert
‎01-23-2015 06:51 AM

Yes!  We suggested epoxy in the unused ports but they could just pull out the KVM device and use that one, they could just pull a drive from a mirror set, etc., etc. We also recommended physical security improvements, such as double lock server cabinets, for example.  The security team still wants this option researched and qualified, so hence this forum post asking what others might have done or tried and decided it was not viable, or such.

0 Kudos
peetz
Leadership
Leadership
‎01-23-2015 06:56 AM

I see ...

If you have too much spare time then you can also have a look at these devices:

http://www.kensington.com/us/us/4483/K67720US/usb-lock-with-cable-guard-sq

Twitter: @VFrontDe, @ESXiPatches | https://esxi-patches.v-front.de | https://vibsdepot.v-front.de
0 Kudos