Skip navigation
2011
vmroyale Guru
vExpertUser Moderators

.VMX Hardening Options

Posted by vmroyale Apr 8, 2011

The vSphere 4.1 Hardening Guide was released yesterday, and it contains a wealth of information on securing vSphere environments.  The scope of the guide states that the topics covered are the "initial configuration of the virtualization infrastructure layer," which includes VMware ESX 4 and VMware ESXi 4 hosts, Virtual Machine Configuration (.VMX) files, virtual networking infrastructure, VMware vCenter Server, its database and client components and VMware Update Manager.  General Guest OS and application hardening is not included as part of this guide.

 

I updated my security notes, after reading the new guide, and I also decided to include the .VMX options here as a quick reference.  While these .VMX options can help secure the environment, these changes are only a part of a comprehensive strategy.  Also keep in mind that most of these changes will require the VM to be powered off or rebooted, before they can take effect.  With that being said, here are the options:

 

Prevent virtual disk shrinking:
isolation.tools.diskWiper.disable = "true"
isolation.tools.diskShrink.disable = "true"

 

Prevent other users from spying on administrator remote consoles:
RemoteDisplay.maxConnections=1

 

Disable Copy and Paste from VMs:
isolation.tools.copy.disable = "true"
isolation.tools.paste.disable = "true"

 

Ensure that unauthorized devices are not connected (unless needed/required):
floppyX.present = "false"
serialX.present = "false"
parallelX.present = "false"
usb.present = "false"
ideX:Y.present = "false"

 

Prevent unauthorized removal, connection and modification of devices:
isolation.device.connectable.disable=TRUE
isolation.device.edit.disable=TRUE

 

Disable VM-to-VM communication through VMC:
vmci0.unrestricted=FALSE

 

Limit VM log file size and number:
log.rotateSize = "100000"
log.keepOld = "10"
logging=FALSE

 

Limit informational messages from the VM to the VMX file:
tools.setInfo.sizeLimit=1048576

 

Disable certain unexposed features:
isolation.tools.unity.push.update.disable = TRUE
isolation.tools.ghi.launchmenu.change = TRUE
isolation.tools.memSchedFakeSampleStats.disable = TRUE
isolation.tools.getCreds.disable = TRUE
isolation.tools.hgfsServerSet.disable = TRUE

 

Disable remote operations within the guest:
guest.command.enabled=FALSE

 

Do not send host performance information to guests:
tools.guestlib.enableHostInfo=FALSE

 

Control access to VMs through VMsafe CPU/memory APIs:
vmsafe.enable = TRUE
vmsafe.agentAddress=”www.xxx.yyy.zzz”
vmsafe.agentPort=”nnnn

 

Control access to VMs through VMsafe network APIs:
ethernet0.filter1.name = dv-filter1

 

Allow Application Consistent Snapshots in Windows 2008:
disk.EnableUUID=”true”

 

The final option is not actually in the guide, but application consistency can/should be thought of as increased availability.  Many of these options could cause undesired consequences in your environment, so consult the guide and always test before making any of these changes in production environments.

 

As always, thanks for reading!

Brian