VMware Cloud Community
Pyr0Texn1c
Contributor
Contributor
‎06-09-2014 03:53 AM

How to restrict access to backdoor port without restrict_backdoor?

The question is: can I use some of OS (Windows Server 2008 R2) methods to block access to ESXi backdoor port from any program except VMware tools so that I don't need to set monitor_control.restrict_backdoor parameter? Or, maybe, can I change some of VMware tools parameters to override the effect of monitor_control.restrict_backdoor parameter?

0 Kudos
4 Replies
Kedar_D
Enthusiast
Enthusiast
‎06-09-2014 06:00 AM

Please refer to the hardening guide.

http://www.vmware.com/security/hardening-guides.html

------------------------------------------------------------ If you find this or any other answer useful please mark the answer as correct or helpful. Kedar http://virtualtechknow.wordpress.com/ ------------------------------------------------------------
0 Kudos
admin
Immortal
Immortal
‎06-09-2014 06:09 AM

You can restrict individual hypercalls with various "isolation.tools.*" settings, but there is no way to restrict hypercalls from the guest on a per-process basis.

0 Kudos
admin
Immortal
Immortal
‎06-09-2014 06:31 AM

Actually, the semantics of restrict_backdoor is that, when set, access to the backdoor port requires normal x86 I/O port permissions.  If Windows offers a way to raise the IOPL of the VMware Tools process to equal its privilege level, then it could still make hypercalls, even with monitor_control.restrict_backdoor=TRUE.

0 Kudos
admin
Immortal
Immortal
‎06-09-2014 06:52 AM

Alternatively, if Windows provides facilities for a per-process (or per-thread) scheduling hook, you could make a hypercall from the process or thread hook to dynamically disable restrict_backdoor on entry to a VMware Tools process (or thread) and to dynamically enable restrict_backdoor on entry to any other process (or thread).

0 Kudos