The vSphere 4.1 Hardening Guide was released yesterday, and it contains a wealth of information on securing vSphere environments. The scope of the guide states that the topics covered are the "initial configuration of the virtualization infrastructure layer," which includes VMware ESX 4 and VMware ESXi 4 hosts, Virtual Machine Configuration (.VMX) files, virtual networking infrastructure, VMware vCenter Server, its database and client components and VMware Update Manager. General Guest OS and application hardening is not included as part of this guide.
I updated my security notes, after reading the new guide, and I also decided to include the .VMX options here as a quick reference. While these .VMX options can help secure the environment, these changes are only a part of a comprehensive strategy. Also keep in mind that most of these changes will require the VM to be powered off or rebooted, before they can take effect. With that being said, here are the options:
Prevent virtual disk shrinking:
isolation.tools.diskWiper.disable = "true"
isolation.tools.diskShrink.disable = "true"
Prevent other users from spying on administrator remote consoles:
RemoteDisplay.maxConnections=1
Disable Copy and Paste from VMs:
isolation.tools.copy.disable = "true"
isolation.tools.paste.disable = "true"
Ensure that unauthorized devices are not connected (unless needed/required):
floppyX.present = "false"
serialX.present = "false"
parallelX.present = "false"
usb.present = "false"
ideX:Y.present = "false"
Prevent unauthorized removal, connection and modification of devices:
isolation.device.connectable.disable=TRUE
isolation.device.edit.disable=TRUE
Disable VM-to-VM communication through VMC:
vmci0.unrestricted=FALSE
Limit VM log file size and number:
log.rotateSize = "100000"
log.keepOld = "10"
logging=FALSE
Limit informational messages from the VM to the VMX file:
tools.setInfo.sizeLimit=1048576
Disable certain unexposed features:
isolation.tools.unity.push.update.disable = TRUE
isolation.tools.ghi.launchmenu.change = TRUE
isolation.tools.memSchedFakeSampleStats.disable = TRUE
isolation.tools.getCreds.disable = TRUE
isolation.tools.hgfsServerSet.disable = TRUE
Disable remote operations within the guest:
guest.command.enabled=FALSE
Do not send host performance information to guests:
tools.guestlib.enableHostInfo=FALSE
Control access to VMs through VMsafe CPU/memory APIs:
vmsafe.enable = TRUE
vmsafe.agentAddress=”www.xxx.yyy.zzz”
vmsafe.agentPort=”nnnn
Control access to VMs through VMsafe network APIs:
ethernet0.filter1.name = dv-filter1
Allow Application Consistent Snapshots in Windows 2008:
disk.EnableUUID=”true”
The final option is not actually in the guide, but application consistency can/should be thought of as increased availability. Many of these options could cause undesired consequences in your environment, so consult the guide and always test before making any of these changes in production environments.
As always, thanks for reading!
Brian