Take a look at these articles:

http://www.killertechtips.com/2009/05/17/remove-the-safely-remove-hardware-icon-in-windows-7-permane...

http://blog.ryantadams.com/2008/10/27/hide-the-safely-remove-hardware-icon-from-the-system-tray/

---

VMware vExpert '2009

http://blog.vadmin.ru

hi:

thanks for the information. but i only want to hide vmxnet3 icon, because my virtual nic is always fixed and removeable is useless to me. other removable device icons are useful.don't want to hide all of them..

Hello,

Moved to Virtual Machine and Guest OS forum.

This is not actually an ESX issue it is a VMware Tools and perhaps a Guest OS issue. If your Guest OS has a way to hide icons in the systray then you can use that method.... If you look at the NIC settings, I believe there is a method for Windows.

Best regards,

Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst[/url]
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|Virtualization Security Round Table Podcast[/url]

hi:

this issue is specific to vmxnet3. and since vmxnet3 is new, so it is a specific issue to vsphere. i didn't see this kind of behavior

with pcnet or e1000 or vmxnet2 in ESXi 3.5. and i didn't see easy way to hide it in windows.if you know,please comment.

same here but really quite a problem because the ability to remove the nic is now available to all the non-privileged users and some are quite curious.

having just upgraded to hw7 and vmxnet3 on 21 terminal servers for 300+ users i found that some of them were losing their nics for no apparent reason, curious but no problem adding it back in through Edit Settings on the VM profile.

just tested with a non-priv user on a server and sure enough that is what is happening.

so now i need to try and find a way to either hide the icon or make it stop working for non-priv users as this is quite disruptive when some curious nit decides to see what happens and everybody on that production server is disconnected.

surprising that VMware is not taking more interest in this "undocumented New Feature", kind of like ejecting the Warp Core in-flight.

wayne

oops, my mistake the non-priv account actually had some left over privs from a previous test.

without privs the icon was not present in the tray for the test account.

not as serious as first thought but still not a feature that one wants on their server.

wayne

un-oops, kept testing and non-priv users do seem to be able to remove the nic

how to block this back at the top of the list

Anyone heard anything from VMware on this problem? I can see this as a potential huge problem myself.

One more thing to add- it doesn't matter if it is set as the vmxnet3 driver, I changed to vmxnet2 and flexible and they all allowed the removal. I think it has to do with the VM version 7 format allowing hot-add of NIC's

I have the same problem on my vShere 4 Enterprise. Any solution, other than stop using hardware version 7 on the VMs?

This is a huge security and operational problem! Vmware must address this problem a.s.a.p!

I think the device could be marked as non removable via a registry change on the device:

http://msdn.microsoft.com/en-us/library/dd568019.aspx

The site refers "Beginning with Windows 7"... All other Windows versions retain this behavior.

For fixing this perhaps a new NIC driver via VMWare tools?

Changing the default behavior of Windows by hammering de registry or using third party applications is just a workaround, not a real fix.

This is a huge deal to me; I have +50VMs on hardware version 7, and in one month, I had 2 NICs removed from production servers, one by a curious user in a TS server, other by a system admin on a slow link, and accidently pressing the remove icon :_| …

More suggestions please?

Thanks in advance.

I just realized this is hardware 7 specific not windows 7 specific.

I think the registry setting is the same or close to the same.

Perhaps you should open a support incident with vmware?

Your interim fix is just to remove hotplug support in the vmx that should solve the problem in the short term.

Hi, Thank you for the reply.

I just remove the hot-plug support (http://kb.vmware.com/kb/1012225) as temporary solution on the “Terminal Server” hosts VMs (most critical problem).

My next step is to open a support incident with vmware. I need a real and global solution to this problem.

I looked at this issue a little more.

Another potential fix is to mark the device as "not user removable."

http://www.anetforums.com/posts.aspx?ThreadIndex=3204

Which can be set via a registry set, or via the inf file that installs the vmxnet3 device.

http://communities.vmware.com/blogs/vmroyale/2009/04/08/resolving-the-parallel-port-driver-service-f...

I think vmware should add this configuration on the vmx file or via the vmware network device properties.

You sir, are my hero. Exactly what I needed after having someone either curiously or accidentally unplugging the network device today.

It's also worth mentioning that using Vsphere free edition doesn't allow you to Hotplug the network back in while the VM is switched on, so you have to shutdown the VM, add the device again and then reboot. What a pita.

I did more research, it appears this is a better solution, it prevents removeal of devices from inside the os, all device configuration can only occur from the vi client machine configuration.

Prevent Unauthorized Removal or Connection of Devices

Normal users and processes—that is users and processes without root or administrator privileges—within

virtual machines have the capability to connect or disconnect devices, such as network adapters and CD‐ROM

drives.

For example, by default, a rogue user within a virtual machine can:

Connect a disconnected CD‐ROM drive and access sensitive information on the media left in the drive

Disconnect a network adapter to isolate the virtual machine from its network, which is a denial of service

In general, you should use the virtual machine settings editor or Configuration Editor to remove any

unneeded or unused hardware devices. However, you may want to use the device again, so removing it is not

always a good solution. In that case, you can prevent a user or running process in the virtual machine from

connecting or disconnecting a device from within the guest operating system by adding the parameter shown

Table 8. Configuration Setting to Prevent Device Removal or Connection

Name Value

Isolation.tools.connectable.disable true

http://www.vmware.com/files/pdf/vi35_security_hardening_wp.pdf

I believe this solves your issue.