.VMX Hardening Options

.VMX Hardening Options

The vSphere 4.1 Hardening Guide was released yesterday, and it contains a wealth of information on securing vSphere environments.  The scope of the guide states that the topics covered are the "initial configuration of the virtualization infrastructure layer," which includes VMware ESX 4 and VMware ESXi 4 hosts, Virtual Machine Configuration (.VMX) files, virtual networking infrastructure, VMware vCenter Server, its database and client components and VMware Update Manager.  General Guest OS and application hardening is not included as part of this guide.

I updated my security notes, after reading the new guide, and I also decided to include the .VMX options here as a quick reference.  While these .VMX options can help secure the environment, these changes are only a part of a comprehensive strategy.  Also keep in mind that most of these changes will require the VM to be powered off or rebooted, before they can take effect.  With that being said, here are the options:

Prevent virtual disk shrinking:
isolation.tools.diskWiper.disable = "true"
isolation.tools.diskShrink.disable = "true"

Prevent other users from spying on administrator remote consoles:
RemoteDisplay.maxConnections=1

Disable Copy and Paste from VMs:
isolation.tools.copy.disable = "true"
isolation.tools.paste.disable = "true"

Ensure that unauthorized devices are not connected (unless needed/required):
floppyX.present = "false"
serialX.present = "false"
parallelX.present = "false"
usb.present = "false"
ideX:Y.present = "false"

Prevent unauthorized removal, connection and modification of devices:
isolation.device.connectable.disable=TRUE
isolation.device.edit.disable=TRUE

Disable VM-to-VM communication through VMC:
vmci0.unrestricted=FALSE

Limit VM log file size and number:
log.rotateSize = "100000"
log.keepOld = "10"
logging=FALSE

Limit informational messages from the VM to the VMX file:
tools.setInfo.sizeLimit=1048576

Disable certain unexposed features:
isolation.tools.unity.push.update.disable = TRUE
isolation.tools.ghi.launchmenu.change = TRUE
isolation.tools.memSchedFakeSampleStats.disable = TRUE
isolation.tools.getCreds.disable = TRUE
isolation.tools.hgfsServerSet.disable = TRUE

Disable remote operations within the guest:
guest.command.enabled=FALSE

Do not send host performance information to guests:
tools.guestlib.enableHostInfo=FALSE

Control access to VMs through VMsafe CPU/memory APIs:
vmsafe.enable = TRUE
vmsafe.agentAddress=”www.xxx.yyy.zzz”
vmsafe.agentPort=”nnnn

Control access to VMs through VMsafe network APIs:
ethernet0.filter1.name = dv-filter1

Allow Application Consistent Snapshots in Windows 2008:
disk.EnableUUID=”true”

The final option is not actually in the guide, but application consistency can/should be thought of as increased availability.  Many of these options could cause undesired consequences in your environment, so consult the guide and always test before making any of these changes in production environments.

As always, thanks for reading!

Brian

Comments

hi all,

does anyone knows what this parameter "isolation.tools.ghi.launchmenu.change" is about please?

and same for "isolation.bios.bbs.disable"

what is changed when applied please? Smiley Wink

Version history
Revision #:
1 of 1
Last update:
‎04-08-2011 07:05 AM
Updated by: