- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How about some guidance regarding VMware Tools installations?
For example, keep Tools up to date (at least the security-fix updates) even when the host has not been upgraded to provide the Tools ISO yet. (Also newer Tools versions are generally supported on older ESXi hosts as shown in the VMware Product Interoperability Matrixes)
Another point to reduce the possible attack surface could be removing unnecessary VMware Tools modules, of which some are not even openly exposed during the actual installation process (like BootCamp, WYSE and Unity modules):
VMware KB: Removing modules for VMware Tools during unattended install or upgrade
http://www.v-front.de/2014/02/an-analysis-of-vsphere-55-vmware-tools.html
I also asked that in a feedback thread of a hardening guide for an earlier version of vSphere, but didn't really get an answer on this, so I'll ask again:
Some VMX parameters such as "disable-unexposed-features-unity" are described as not applying to vSphere environments since they are obviously features for Workstation/Player/Fusion only. However, the guide still lists a negative functional impact of "Some automated tools and process may cease to function".
Why would non-applicable features like this have a negative impact and what exactly are these "automated tools and processes" referred to here?
The text in the Vulnerability Discussion columns of all pages seems to be cut off after a certain amount of text, e.g.:
Some VMX parameters don't apply on vSphere because VMware virtual machines work on vSphere and hosted virtualization platforms such as Workstation and Fusion. Explicitly disabling these features reduces the potential for vulnerabilities because it reduces
By capturing a hardened base operating system image (with no applications installed) in a template, you can ensure that all your virtual machines are created with a known baseline level of security. You can then use this template to create other, applicat
ESXi uses the pam_passwdqc.so plug-in to set password strength and complexity. It is important to use passwords that are not easily guessed and that are difficult for password generators to determine. Note, ESXi imposes no restrictions on the root passw
If you are not using products that make use of the dvfilter network API (e.g. VMSafe), the host should not be configured to send network information to a VM. If the API is enabled, an attacker might attempt to connect a VM to it, thereby potentially provi