hardeningguide vsphere5 1 ga release public

vSphere Hardening Guide 5.1

IntroductionvSphere 5.1 Security Hardening GuideGeneral Availabilty (GA) ReleaseApril 15, 2013Important Note: This is a GA Release of the 5.1 vSphere Hardening Guide.Scope of GuideThis guide covers the following components of vSphereVirtual MachinesESXi hostsVirtual NetworkvCenter Server plus its database and clients. Common vCenter and Windows specific guidance is here.vCenter Web ClientvCenter SSO ServervCenter Virtual Appliance (VCSA) specific guidancevCenter Update ManagerEverything else is out of scope and hence NOT covered by the guide. This includesvSphere Management Assistant (vMA)any other add-on component

Description of fieldsEach guideline is uniquely identified by the concatenation of Product-Version-Component-ID. Some examples:vSphere-5.1-esxi-apply-patchesvSphere-5.1-vm-prevent-device-interaction-editvSphere-5.1-vnetwork-reject-mac-change-dvportgroupvSphere-5.1-vcenter-isolated-vum-proxyWhen referring to guidelines within a single version, the Product-Version may be omitted and the component-ID used by itself, e.g.esxi-apply-patches

The Profile field indicates the relative increase in security provided by the guidelines. Some guidelines describe an issue with more than one defense, and these will be associated with more than one profileProfile 3: guidelines that should be implemented in all environmentsProfile 2: guidelines that should be implemented for more sensitive environments, e.g. those handling more sensitive data, those subject to stricter compliance rules, etc.Profile 1: guidelines that only be implemented in the highest security environments, e.g. top-secret government or military, extremely sensitive data, etc.

Control Type indicates how the guideline is implementedParameter: A system-level parameter should be set to a particular value, either specified in the guideline or else site-specificConfiguration: A certain hardware and/or software configuration or combination of settings should be usedOperational: Indicates an ongoing check, either monitoring for certain actions or conditions, or else verifying the use of proper procedures

Assessment Procedure: describes how to validate whether or not the guideline is being followed. The remediation procedure is generally not described, but in some cases the remediation steps are available in an external reference.

The following fields are filled in where applicable or determinateConfiguration ParameterConfiguration FileDesired ValueIs Desired Value the Default?

Negative Functional Impact indicates if this guideline has any side effects that reduce or prevent normal functionality

Where possible, CLI commands for assessment and remediation are provided. The commands are provided for the vSphere CLI (vCLI), ESXi Shell, and PowerCLI.Reference to the API which relates to a guideline is also provided if possible.

For the ESXi guidelines, a special column indicates whether or not the guidelines can be configured using Host Profiles

VMIDProductVersionComponentSubcomponentTitleVulnerability DiscussionProfileControl TypeAssessment Procedure Configuration FileConfiguration ParameterDesired ValueChange TypeIs desired value the default?vSphere APIESXi Shell Command AssessmentESXi Shell Command RemediationvCLI Command AssessmentvCLI Command RemediationPowerCLI Command AssessmentPowerCLI Command RemediationNegative Functional ImpactReferenceAble to set using Host Profile?control-resource-usagevSphere5.1Virtual MachinesResourcesPrevent virtual machines from taking over resources. By default, all virtual machines on an ESXi host share the resources equally. By using the resource management capabilities of ESXi, such as shares and limits, you can control the server resources that a virtual machine consumes. You can use this mechanism to prevent a denial of service that causes one virtual machine to consume so much of the hosts resources that other virtual machines on the same host cannot perform their intended functions.1,2OperationalUse shares or reservations to guarantee resources to critical VMs. Use limits to constrain resource consumption by virtual machines that have a greater risk of being exploited or attacked, or that run applications that are known to have the potential to greatly consume resources.N/AN/AN/AN/AN/AN/AN/AN/AN/AN/A# List all Resource shares on all VMsGet-VM | Get-VMResourceConfigurationN/AN/Adisable-autoinstallvSphere5.1Virtual MachinesToolsDisable tools auto installTools auto install can initiate an automatic reboot, disabling this option will prevent tools from being installed automatically and prevent automatic machine reboots1,2ParameterCheck virtual machine configuration file and verify that isolation.tools.autoinstall.disable is set to TRUEVMXisolation.tools.autoInstall.disableTRUEmodifyNOhttp://pubs.vmware.com/vsphere-51/topic/com.vmware.wssdk.apiref.doc/vim.option.OptionValue.htmlgrep -i "isolation.tools.autoInstall.disable" [VMX]N/Avmware-cmd --server [SERVER] --username [USERNAME] --password [PASSWORD] /vmfs/volumes/[DATASTORE]/[VM]/[VM].vmx getguestinfo isolation.tools.diskWiper.disableN/A# List the VMs and their current settingsGet-VM | Get-AdvancedSetting -Name "isolation.tools.autoInstall.disable"| Select Entity, Name, Value# Add the setting to all VMsGet-VM | New-AdvancedSetting -Name "isolation.tools.autoInstall.disable" -value $trueThis option disables tools auto install, all tools installs will have to be manually started.N/Adisable-console-copyvSphere5.1Virtual MachinesMonitorExplicitly disable copy/paste operationsCopy and paste operations are disabled by default however by explicitly disabling this feature it will enable audit controls to check that this setting is correct.1,2,3ParameterCheck virtual machine configuration and verify that option is missing or set to trueVMXisolation.tools.copy.disableTRUEAdd or ModifyYEShttp://pubs.vmware.com/vsphere-51/topic/com.vmware.wssdk.apiref.doc/vim.option.OptionValue.htmlgrep -i "isolation.tools.copy.disable" [VMX]N/Avmware-cmd --server [SERVER] --username [USERNAME] --password [PASSWORD] /vmfs/volumes/[DATASTORE]/[VM]/[VM].vmx getguestinfo isolation.tools.copy.disableN/A# List the VMs and their current settingsGet-VM | Get-AdvancedSetting -Name "isolation.tools.copy.disable" | Select Entity, Name, Value# Add the setting to all VMsGet-VM | New-AdvancedSetting -Name "isolation.tools.copy.disable" -value $trueThis is the default setting so functionality remains the sameN/Adisable-console-dndvSphere5.1Virtual MachinesMonitorExplicitly disable copy/paste operationsCopy and paste operations are disabled by default however by explicitly disabling this feature it will enable audit controls to check that this setting is correct.1,2,3ParameterCheck virtual machine configuration and verify that option is missing or set to trueVMXisolation.tools.dnd.disableTRUEAdd or ModifyYEShttp://pubs.vmware.com/vsphere-51/topic/com.vmware.wssdk.apiref.doc/vim.option.OptionValue.htmlgrep -i isolation.tools.dnd.disable [VMX]N/Avmware-cmd --server [SERVER] --username [USERNAME] --password [PASSWORD] /vmfs/volumes/[DATASTORE]/[VM]/[VM].vmx getguestinfo isolation.tools.dnd.disableN/A# List the VMs and their current settingsGet-VM | Get-AdvancedSetting -Name "isolation.tools.dnd.disable" | Select Entity, Name, Value# Add the setting to all VMsGet-VM | New-AdvancedSetting -Name "isolation.tools.dnd.disable" -value $trueN/Adisable-console-gui-optionsvSphere5.1Virtual MachinesMonitorExplicitly disable copy/paste operationsCopy and paste operations are disabled by default however by explicitly disabling this feature it will enable audit controls to check that this setting is correct.1,2,3ParameterCheck virtual machine configuration and verify that option is missing or set to falseVMXisolation.tools.setGUIOptions.enableFALSEAdd or ModifyYEShttp://pubs.vmware.com/vsphere-51/topic/com.vmware.wssdk.apiref.doc/vim.option.OptionValue.htmlgrep -i isolation.tools.setGUIOptions.enable [VMX]N/Avmware-cmd --server [SERVER] --username [USERNAME] --password [PASSWORD] /vmfs/volumes/[DATASTORE]/[VM]/[VM].vmx getguestinfo isolation.tools.setGUIOptions.enableN/A# List the VMs and their current settingsGet-VM | Get-AdvancedSetting -Name "isolation.tools.setGUIOptions.enable"| Select Entity, Name, Value# Add the setting to all VMsGet-VM | New-AdvancedSetting -Name "isolation.tools.setGUIOptions.enable" -value $falseN/Adisable-console-pastevSphere5.1Virtual MachinesMonitorExplicitly disable copy/paste operationsCopy and paste operations are disabled by default however by explicitly disabling this feature it will enable audit controls to check that this setting is correct.1,2,3ParameterCheck virtual machine configuration and verify that option is missing or set to trueVMXisolation.tools.paste.disableTRUEAdd or ModifyYEShttp://pubs.vmware.com/vsphere-51/topic/com.vmware.wssdk.apiref.doc/vim.option.OptionValue.htmlgrep -i isolation.tools.paste.disable [VMX]N/Avmware-cmd --server [SERVER] --username [USERNAME] --password [PASSWORD] /vmfs/volumes/[DATASTORE]/[VM]/[VM].vmx getguestinfo isolation.tools.paste.disableN/A# List the VMs and their current settingsGet-VM | Get-AdvancedSetting -Name "isolation.tools.paste.disable"| Select Entity, Name, Value# Add the setting to all VMsGet-VM | New-AdvancedSetting -Name "isolation.tools.paste.disable" -value $trueThis is the default setting so functionality remains the sameN/Adisable-disk-shrinking-shrinkvSphere5.1Virtual MachinesStorageDisable virtual disk shrinking. Shrinking a virtual disk reclaims unused space in it. If there is empty space in the disk, this process reduces the amount of space the virtual disk occupies on the host drive. Normal users and processesthat is, users and processes without root or administrator privilegeswithin virtual machines have the capability to invoke this procedure. However, if this is done repeatedly, the virtual disk can become unavailable while this shrinking is being performed, effectively causing a denial of service. In most datacenter environments, disk shrinking is not done, so you should disable this feature by setting the parameters listed in Table 9. Repeated disk shrinking can make a virtual disk unavailable. Capability is available to nonadministrative users in the guest.1,2,3ParameterCheck virtual machine configuration file and verify that isolation.tools.diskShrink.disable is set to TRUEVMX isolation.tools.diskShrink.disableTRUEAddNOhttp://pubs.vmware.com/vsphere-51/topic/com.vmware.wssdk.apiref.doc/vim.option.OptionValue.htmlgrep -i "isolation.tools.diskShrink.disable" [VMX]N/Avmware-cmd --server [SERVER] --username [USERNAME] --password [PASSWORD] /vmfs/volumes/[DATASTORE]/[VM]/[VM].vmx getguestinfo isolation.tools.diskWiper.disableN/A# List the VMs and their current settingsGet-VM | Get-AdvancedSetting -Name "isolation.tools.diskShrink.disable"| Select Entity, Name, Value# Add the setting to all VMsGet-VM | New-AdvancedSetting -Name "isolation.tools.diskShrink.disable" -value $trueInability to shrink virtual machine disks in the event that a datastore runs out of space.N/Adisable-disk-shrinking-wipervSphere5.1Virtual MachinesStorageDisable virtual disk shrinking. Shrinking a virtual disk reclaims unused space in it. If there is empty space in the disk, this process reduces the amount of space the virtual disk occupies on the host drive. Normal users and processesthat is, users and processes without root or administrator privilegeswithin virtual machines have the capability to invoke this procedure. However, if this is done repeatedly, the virtual disk can become unavailable while this shrinking is being performed, effectively causing a denial of service. In most datacenter environments, disk shrinking is not done, so you should disable this feature by setting the parameters listed in Table 9. Repeated disk shrinking can make a virtual disk unavailable. Capability is available to nonadministrative users in the guest.1,2,3ParameterCheck virtual machine configuration file and verify that isolation.tools.diskWiper.disable is set to TRUEVMXisolation.tools.diskWiper.disable TRUEAddNOhttp://pubs.vmware.com/vsphere-51/topic/com.vmware.wssdk.apiref.doc/vim.option.OptionValue.htmlgrep -i "isolation.tools.diskWiper.disable" [VMX]N/Avmware-cmd --server [SERVER] --username [USERNAME] --password [PASSWORD] /vmfs/volumes/[DATASTORE]/[VM]/[VM].vmx getguestinfo isolation.tools.diskWiper.disableN/A# List the VMs and their current settingsGet-VM | Get-AdvancedSetting -Name "isolation.tools.diskWiper.disable"| Select Entity, Name, Value# Add the setting to all VMsGet-VM | New-AdvancedSetting -Name "isolation.tools.diskWiper.disable" -value $trueInability to shrink virtual machine disks in the event that a datastore runs out of space.N/Adisable-hgfsvSphere5.1Virtual MachinesMonitorDisable HGFS file transfersCertain automated operations such as automated tools upgrades use a component into the hypervisor called "Host Guest File System" and an attacker could potentially use this to transfer files inside the guest OS1ParameterCheck virtual machine configuration file and verify that isolation.tools.hgfsServerSet.disable is set to TRUEVMXisolation.tools.hgfsServerSet.disableTRUEModifyNOhttp://pubs.vmware.com/vsphere-51/topic/com.vmware.wssdk.apiref.doc/vim.option.OptionValue.htmlgrep -i "isolation.tools.hgfsServerSet.disable" [VMX]N/Avmware-cmd --server [SERVER] --username [USERNAME] --password [PASSWORD] /vmfs/volumes/[DATASTORE]/[VM]/[VM].vmx getguestinfo isolation.tools.hgfsServerSet.disableN/A# List the VMs and their current settingsGet-VM | Get-AdvancedSetting -Name "isolation.tools.hgfsServerSet.disable"| Select Entity, Name, Value# Add the setting to all VMsGet-VM | New-AdvancedSetting -Name "isolation.tools.hgfsServerSet.disable" -value $trueThis will cause the VMX process to not respond to commands from the tools process, this may have a negative impact on operations such as automated tools upgradesN/Adisable-independent-nonpersistentvSphere5.1Virtual MachinesStorageAvoid using independent nonpersistent disks. The security issue with nonpersistent disk mode is that successful attackers, with a simple shutdown or reboot, might undo or remove any traces that they were ever on the machine. To safeguard against this risk, you should set production virtual machines to use either persistent disk mode or nonpersistent disk mode; additionally, make sure that activity within the VM is logged remotely on a separate server, such as a syslog server or equivalent Windows-based event collector. Without a persistent record of activity on a VM, administrators might never know whether they have been attacked or hacked.1,2ParameterIf remote logging of events and activity is not configured for the guest, scsiX:Y.mode should be either: 1. Not present 2. Not set to independent nonpersistentVMXscsiX:Y.modenot present or independent nonpersistentremove, modifyhttp://pubs.vmware.com/vsphere-51/topic/com.vmware.wssdk.apiref.doc/vim.option.OptionValue.htmlgrep -i "^scsi[0-9]*:[0-9]*.mode" [VMX]N/A1. vifs --server [SERVER] --username [USERNAME] --password [PASSWORD] -g "[DATASTORE] VM/VM.vmx" VM.vmx 2. grep -i "^scsi[0-9]*:[0-9]*.mode" [VMX]N/A#List the VM's and their disk typesGet-VM | Get-HardDisk | Select Parent, Name, Filename, DiskType, Persistence#Alter the parameters for the following cmdlet to set the VM Disk Type:Get-VM | Get-HardDisk | Set-HardDiskWont be able to make use of nonpersistent mode, which allows rollback to a known state when rebooting the VM.N/Adisable-intervm-vmcivSphere5.1Virtual MachinesCommunicationDisable VM-to-VM communication through VMCI. If the interface is not restricted, a VM can detect and be detected by all other VMs with the same option enabled within the same host. This might be the intended behavior, but custom-built software can have unexpected vulnerabilities that might potentially lead to an exploit. Additionally, it is possible for a VM to detect how many other VMs are within the same ESXI system by simply registering the VM. This information might also be used for a potentially malicious objective. By default, the setting is FALSE. The VM can be exposed to other VMs within the same system as long as there is at least one program connected to the VMCI socket interface. THIS CONTROL HAS NO EFFECT IN 5.1. WHETHER SET TO ENABLED OR DISABLED, THE COMMUNICATION IS DISABLED.1,2,3ParameterCheck virtual machine configuration file and verify that vmci0.unrestricted is set to FALSEVMXvmci0.unrestrictedFALSEModifyYEShttp://pubs.vmware.com/vsphere-51/topic/com.vmware.wssdk.apiref.doc/vim.option.OptionValue.htmlgrep -i "vmci0.unrestricted" [VMX]N/Avmware-cmd --server [SERVER] --username [USERNAME] --password [PASSWORD] /vmfs/volumes/[DATASTORE]/[VM]/[VM].vmx getguestinfo vmci0.unrestrictedN/A# List the VMs and their current settingsGet-VM | Get-AdvancedSetting -Name "vmci0.unrestricted" | Select Entity, Name, Value# Add the setting to all VMsGet-VM | New-AdvancedSetting -Name "vmci0.unrestricted" -value $falseVirtual machines will be unable to communicate using VMCI technology.doc reference for vmci obsoletionN/Adisable-loggingvSphere5.1Virtual MachinesToolsDisable VM loggingYou can use these settings to limit the total size and number of log files. Normally a new log file is created only when a host is rebooted, so the file can grow to be quite large. You can ensure that new log files are created more frequently by limiting the maximum size of the log files. If you want to restrict the total size of logging data, VMware recommends saving 10 log files, each one limited to 1,000KB. Datastores are likely to be formatted with a block size of 2MB or 4MB, so a size limit too far below this size would result in unnecessary storage utilization. Each time an entry is written to the log, the size of the log is checked; if it is over the limit, the next entry is written to a new log. If the maximum number of log files already exists, when a new one is created, the oldest log file is deleted. A denial-of-service attack that avoids these limits might be attempted by writing an enormous log entry. But each log entry is limited to 4KB, so no log files are ever more than 4KB larger than the configured limit. A second option is to disable logging for the virtual machine. Disabling logging for a virtual machine makes troubleshooting challenging and support difficult. You should not consider disabling logging unless the log file rotation approach proves insufficient. Uncontrolled logging can lead to denial of service due to the datastores being filled.1ParameterCheck virtual machine configuration file and verify that logging is set to FALSEVMXloggingFALSEAddNOhttp://pubs.vmware.com/vsphere-51/topic/com.vmware.wssdk.apiref.doc/vim.option.OptionValue.htmlgrep -i "^logging" [VMX]N/AN/AN/AN/AN/AVM logs unavailable for troubleshooting and support.N/Adisable-monitor-controlvSphere5.1Virtual MachinesMonitorDisable VM Monitor ControlWhen Virtual Machines are running on a hypervisor they are "aware" that they are running in a virtual environment and this and this information is available to tools inside the guest OS. This can give attackers information about the platform that they are running on that they may not get from a normal physical server. This option completely disables all hooks for a virtual machine and the guest OS will not be aware that it is running in a virtual environment at all.1ParameterCheck virtual machine configuration file and verify that isolation.monitor.control.disable is set to TRUEVMXisolation.monitor.control.disableTRUEAdd or ModifyNOhttp://pubs.vmware.com/vsphere-51/topic/com.vmware.wssdk.apiref.doc/vim.option.OptionValue.htmlgrep -i "isolation.monitor.control.disable" [VMX]N/Avmware-cmd --server [SERVER] --username [USERNAME] --password [PASSWORD] /vmfs/volumes/[DATASTORE]/[VM]/[VM].vmx getguestinfo isolation.monitor.control.disableN/A# List the VMs and their current settingsGet-VM | Get-AdvancedSetting -Name "isolation.monitor.control.disable"| Select Entity, Name, Value# Add the setting to all VMsGet-VM | New-AdvancedSetting -Name "isolation.monitor.control.disable" -value $trueThis configuration option may cause unexpected results, the virtual machine will be completely unaware that it is running in a virtualized setting. VMware tools will not install or function.N/Adisable-unexposed-features-autologonvSphere5.1Virtual MachinesMonitorDisable certain unexposed features. Because VMware virtual machines are designed to work on both vSphere as well as hosted virtualization platforms such as Workstation and Fusion, there are some VMX parameters that dont apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.1ParameterCheck virtual machine configuration file and verify that isolation.tools.ghi.autologon.disable is set to TRUEVMXisolation.tools.ghi.autologon.disableTRUEModifyNOhttp://pubs.vmware.com/vsphere-51/topic/com.vmware.wssdk.apiref.doc/vim.option.OptionValue.htmlgrep -i "isolation.tools.ghi.autologon.disable" [VMX]N/Avmware-cmd --server [SERVER] --username [USERNAME] --password [PASSWORD] /vmfs/volumes/[DATASTORE]/[VM]/[VM].vmx getguestinfo isolation.tools.ghi.autologon.disableN/A# List the VMs and their current settingsGet-VM | Get-AdvancedSetting -Name "isolation.tools.ghi.autologon.disable"| Select Entity, Name, Value# Add the setting to all VMsGet-VM | New-AdvancedSetting -Name "isolation.tools.ghi.autologon.disable" -value $trueN/Adisable-unexposed-features-biosbbsvSphere5.1Virtual MachinesMonitorDisable certain unexposed features. Because VMware virtual machines are designed to work on both vSphere as well as hosted virtualization platforms such as Workstation and Fusion, there are some VMX parameters that dont apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.1ParameterCheck virtual machine configuration file and verify that isolation.bios.bbs.disable is set to TRUEVMXisolation.bios.bbs.disableTRUEModifyNOhttp://pubs.vmware.com/vsphere-51/topic/com.vmware.wssdk.apiref.doc/vim.option.OptionValue.htmlgrep -i "isolation.bios.bbs.disable" [VMX]N/Avmware-cmd --server [SERVER] --username [USERNAME] --password [PASSWORD] /vmfs/volumes/[DATASTORE]/[VM]/[VM].vmx getguestinfo isolation.bios.bbs.disableN/A# List the VMs and their current settingsGet-VM | Get-AdvancedSetting -Name "isolation.bios.bbs.disable"| Select Entity, Name, Value# Add the setting to all VMsGet-VM | New-AdvancedSetting -Name "isolation.bios.bbs.disable" -value $trueN/Adisable-unexposed-features-getcredsvSphere5.1Virtual MachinesMonitorDisable certain unexposed features. Because VMware virtual machines are designed to work on both vSphere as well as hosted virtualization platforms such as Workstation and Fusion, there are some VMX parameters that dont apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.1ParameterCheck virtual machine configuration file and verify that isolation.tools.getCreds.disable is set to TRUEVMXisolation.tools.getCreds.disableTRUEModifyNOhttp://pubs.vmware.com/vsphere-51/topic/com.vmware.wssdk.apiref.doc/vim.option.OptionValue.htmlgrep -i "isolation.tools.getCreds.disable" [VMX]N/Avmware-cmd --server [SERVER] --username [USERNAME] --password [PASSWORD] /vmfs/volumes/[DATASTORE]/[VM]/[VM].vmx getguestinfo isolation.tools.getCreds.disableN/A# List the VMs and their current settingsGet-VM | Get-AdvancedSetting -Name "isolation.tools.getCreds.disable"| Select Entity, Name, Value# Add the setting to all VMsGet-VM | New-AdvancedSetting -Name "isolation.tools.getCreds.disable" -value $trueN/Adisable-unexposed-features-launchmenuvSphere5.1Virtual MachinesMonitorDisable certain unexposed features. Because VMware virtual machines are designed to work on both vSphere as well as hosted virtualization platforms such as Workstation and Fusion, there are some VMX parameters that dont apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.1ParameterCheck virtual machine configuration file and verify that isolation.tools.ghi.launchmenu.change is set to TRUEVMXisolation.tools.ghi.launchmenu.changeTRUEModifyNOhttp://pubs.vmware.com/vsphere-51/topic/com.vmware.wssdk.apiref.doc/vim.option.OptionValue.htmlgrep -i "isolation.tools.ghi.launchmenu.change" [VMX]N/Avmware-cmd --server [SERVER] --username [USERNAME] --password [PASSWORD] /vmfs/volumes/[DATASTORE]/[VM]/[VM].vmx getguestinfo isolation.tools.ghi.launchmenu.changeN/A# List the VMs and their current settingsGet-VM | Get-AdvancedSetting -Name "isolation.tools.ghi.launchmenu.change" | Select Entity, Name, Value# Add the setting to all VMsGet-VM | New-AdvancedSetting -Name "isolation.tools.ghi.launchmenu.change" -value $trueN/Adisable-unexposed-features-memsfssvSphere5.1Virtual MachinesMonitorDisable certain unexposed features. Because VMware virtual machines are designed to work on both vSphere as well as hosted virtualization platforms such as Workstation and Fusion, there are some VMX parameters that dont apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.1ParameterCheck virtual machine configuration file and verify that isolation.tools.memSchedFakeSampleStats.disable is set to TRUEVMXisolation.tools.memSchedFakeSampleStats.disableTRUEModifyNOhttp://pubs.vmware.com/vsphere-51/topic/com.vmware.wssdk.apiref.doc/vim.option.OptionValue.htmlgrep -i "isolation.tools.memSchedFakeSampleStats.disable" [VMX]N/Avmware-cmd --server [SERVER] --username [USERNAME] --password [PASSWORD] /vmfs/volumes/[DATASTORE]/[VM]/[VM].vmx getguestinfo isolation.tools.memSchedFakeSampleStats.disableN/A# List the VMs and their current settingsGet-VM | Get-AdvancedSetting -Name "isolation.tools.memSchedFakeSampleStats.disable" | Select Entity, Name, Value# Add the setting to all VMsGet-VM | New-AdvancedSetting -Name "isolation.tools.memSchedFakeSampleStats.disable" -value $trueN/Adisable-unexposed-features-protocolhandlervSphere5.1Virtual MachinesMonitorDisable certain unexposed features. Because VMware virtual machines are designed to work on both vSphere as well as hosted virtualization platforms such as Workstation and Fusion, there are some VMX parameters that dont apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.1ParameterCheck virtual machine configuration file and verify that isolation.tools.ghi.protocolhandler.info.disable is set to TRUEVMXisolation.tools.ghi.protocolhandler.info.disableTRUEAddNOhttp://pubs.vmware.com/vsphere-51/topic/com.vmware.wssdk.apiref.doc/vim.option.OptionValue.htmlgrep -i "isolation.tools.ghi.protocolhandler.info.disable" [VMX]N/Avmware-cmd --server [SERVER] --username [USERNAME] --password [PASSWORD] /vmfs/volumes/[DATASTORE]/[VM]/[VM].vmx getguestinfo isolation.tools.ghi.protocolhandler.info.disableN/A# List the VMs and their current settingsGet-VM | Get-AdvancedSetting -Name "isolation.tools.ghi.protocolhandler.info.disable" | Select Entity, Name, Value# Add the setting to all VMsGet-VM | New-AdvancedSetting -Name "isolation.tools.ghi.protocolhandler.info.disable" -value $trueSome automated tools and process may cease to functionN/Adisable-unexposed-features-shellactionvSphere5.1Virtual MachinesMonitorDisable certain unexposed features. Because VMware virtual machines are designed to work on both vSphere as well as hosted virtualization platforms such as Workstation and Fusion, there are some VMX parameters that dont apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.1ParameterCheck virtual machine configuration file and verify that isolation.ghi.host.shellAction.disable is set to TRUEVMXisolation.ghi.host.shellAction.disableTRUEAddNOhttp://pubs.vmware.com/vsphere-51/topic/com.vmware.wssdk.apiref.doc/vim.option.OptionValue.htmlgrep -i "isolation.ghi.host.shellAction.disable" [VMX]N/Avmware-cmd --server [SERVER] --username [USERNAME] --password [PASSWORD] /vmfs/volumes/[DATASTORE]/[VM]/[VM].vmx getguestinfo isolation.ghi.host.shellAction.disableN/A# List the VMs and their current settingsGet-VM | Get-AdvancedSetting -Name "isolation.ghi.host.shellAction.disable" | Select Entity, Name, Value# Add the setting to all VMsGet-VM | New-AdvancedSetting -Name "isolation.ghi.host.shellAction.disable" -value $trueSome automated tools and process may cease to functionN/Adisable-unexposed-features-toporequestvSphere5.1Virtual MachinesMonitorDisable certain unexposed features. Because VMware virtual machines are designed to work on both vSphere as well as hosted virtualization platforms such as Workstation and Fusion, there are some VMX parameters that dont apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.1ParameterCheck virtual machine configuration file and verify that isolation.tools.dispTopoRequest.disable is set to TRUEVMXisolation.tools.dispTopoRequest.disableTRUEAddNOhttp://pubs.vmware.com/vsphere-51/topic/com.vmware.wssdk.apiref.doc/vim.option.OptionValue.htmlgrep -i "isolation.tools.dispTopoRequest.disable" [VMX]N/Avmware-cmd --server [SERVER] --username [USERNAME] --password [PASSWORD] /vmfs/volumes/[DATASTORE]/[VM]/[VM].vmx getguestinfo isolation.tools.dispTopoRequest.disableN/A# List the VMs and their current settingsGet-VM | Get-AdvancedSetting -Name "isolation.tools.dispTopoRequest.disable"| Select Entity, Name, Value# Add the setting to all VMsGet-VM | New-AdvancedSetting -Name "isolation.tools.dispTopoRequest.disable" -value $trueSome automated tools and process may cease to functionN/Adisable-unexposed-features-trashfolderstatevSphere5.1Virtual MachinesMonitorDisable certain unexposed features. Because VMware virtual machines are designed to work on both vSphere as well as hosted virtualization platforms such as Workstation and Fusion, there are some VMX parameters that dont apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.1ParameterCheck virtual machine configuration file and verify that isolation.tools.trashFolderState.disable is set to TRUEVMXisolation.tools.trashFolderState.disableTRUEAddNOhttp://pubs.vmware.com/vsphere-51/topic/com.vmware.wssdk.apiref.doc/vim.option.OptionValue.htmlgrep -i "isolation.tools.trashFolderState.disable" [VMX]N/Avmware-cmd --server [SERVER] --username [USERNAME] --password [PASSWORD] /vmfs/volumes/[DATASTORE]/[VM]/[VM].vmx getguestinfo isolation.tools.trashFolderState.disableN/A# List the VMs and their current settingsGet-VM | Get-AdvancedSetting -Name "isolation.tools.trashFolderState.disable"| Select Entity, Name, Value# Add the setting to all VMsGet-VM | New-AdvancedSetting -Name "isolation.tools.trashFolderState.disable" -value $trueSome automated tools and process may cease to functionN/Adisable-unexposed-features-trayiconvSphere5.1Virtual MachinesMonitorDisable certain unexposed features. Because VMware virtual machines are designed to work on both vSphere as well as hosted virtualization platforms such as Workstation and Fusion, there are some VMX parameters that dont apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.1ParameterCheck virtual machine configuration file and verify that isolation.tools.ghi.trayicon.disable is set to TRUEVMXisolation.tools.ghi.trayicon.disableTRUEAddNOhttp://pubs.vmware.com/vsphere-51/topic/com.vmware.wssdk.apiref.doc/vim.option.OptionValue.htmlgrep -i "isolation.tools.ghi.trayicon.disable" [VMX]N/Avmware-cmd --server [SERVER] --username [USERNAME] --password [PASSWORD] /vmfs/volumes/[DATASTORE]/[VM]/[VM].vmx getguestinfo isolation.tools.ghi.trayicon.disableN/A# List the VMs and their current settingsGet-VM | Get-AdvancedSetting -Name "isolation.tools.ghi.trayicon.disable"| Select Entity, Name, Value# Add the setting to all VMsGet-VM | New-AdvancedSetting -Name "isolation.tools.ghi.trayicon.disable" -value $trueSome automated tools and process may cease to functionN/Adisable-unexposed-features-unityvSphere5.1Virtual MachinesMonitorDisable certain unexposed features. Because VMware virtual machines are designed to work on both vSphere as well as hosted virtualization platforms such as Workstation and Fusion, there are some VMX parameters that dont apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.1ParameterCheck virtual machine configuration file and verify that isolation.tools.unity.disable is set to TRUEVMXisolation.tools.unity.disableTRUEAddNOhttp://pubs.vmware.com/vsphere-51/topic/com.vmware.wssdk.apiref.doc/vim.option.OptionValue.htmlgrep -i "isolation.tools.unity.disable" [VMX]N/Avmware-cmd --server [SERVER] --username [USERNAME] --password [PASSWORD] /vmfs/volumes/[DATASTORE]/[VM]/[VM].vmx getguestinfo isolation.tools.unity.disableN/A# List the VMs and their current settingsGet-VM | Get-AdvancedSetting -Name "isolation.tools.unity.disable"| Select Entity, Name, Value# Add the setting to all VMsGet-VM | New-AdvancedSetting -Name "isolation.tools.unity.disable" -value $trueSome automated tools and process may cease to functionN/Adisable-unexposed-features-unity-interlockvSphere5.1Virtual MachinesMonitorDisable certain unexposed features. Because VMware virtual machines are designed to work on both vSphere as well as hosted virtualization platforms such as Workstation and Fusion, there are some VMX parameters that dont apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.1ParameterCheck virtual machine configuration file and verify that isolation.tools.unityInterlockOperation.disable is set to TRUEVMXisolation.tools.unityInterlockOperation.disableTRUEAddNOhttp://pubs.vmware.com/vsphere-51/topic/com.vmware.wssdk.apiref.doc/vim.option.OptionValue.htmlgrep -i "isolation.tools.unityInterlockOperation.disable" [VMX]N/Avmware-cmd --server [SERVER] --username [USERNAME] --password [PASSWORD] /vmfs/volumes/[DATASTORE]/[VM]/[VM].vmx getguestinfo isolation.tools.unityInterlockOperation.disableN/A# List the VMs and their current settingsGet-VM | Get-AdvancedSetting -Name "isolation.tools.unityInterlockOperation.disable"| Select Entity, Name, Value# Add the setting to all VMsGet-VM | New-AdvancedSetting -Name "isolation.tools.unityInterlockOperation.disable" -value $trueSome automated tools and process may cease to functionN/Adisable-unexposed-features-unity-taskbarvSphere5.1Virtual MachinesMonitorDisable certain unexposed features. Because VMware virtual machines are designed to work on both vSphere as well as hosted virtualization platforms such as Workstation and Fusion, there are some VMX parameters that dont apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.1ParameterCheck virtual machine configuration file and verify that isolation.tools.unity.taskbar.disable is set to TRUEVMXisolation.tools.unity.taskbar.disableTRUEAddNOhttp://pubs.vmware.com/vsphere-51/topic/com.vmware.wssdk.apiref.doc/vim.option.OptionValue.htmlgrep -i "isolation.tools.unity.taskbar.disable" [VMX]N/Avmware-cmd --server [SERVER] --username [USERNAME] --password [PASSWORD] /vmfs/volumes/[DATASTORE]/[VM]/[VM].vmx getguestinfo isolation.tools.unity.taskbar.disableN/A# List the VMs and their current settingsGet-VM | Get-AdvancedSetting -Name "isolation.tools.unity.taskbar.disable" | Select Entity, Name, Value# Add the setting to all VMsGet-VM | New-AdvancedSetting -Name "isolation.tools.unity.taskbar.disable" -value $trueSome automated tools and process may cease to functionN/Adisable-unexposed-features-unity-unityactivevSphere5.1Virtual MachinesMonitorDisable certain unexposed features. Because VMware virtual machines are designed to work on both vSphere as well as hosted virtualization platforms such as Workstation and Fusion, there are some VMX parameters that dont apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.1ParameterCheck virtual machine configuration file and verify that isolation.tools.unityActive.disable is set to TRUEVMXisolation.tools.unityActive.disableTRUEAddNOhttp://pubs.vmware.com/vsphere-51/topic/com.vmware.wssdk.apiref.doc/vim.option.OptionValue.htmlgrep -i "isolation.tools.unityActive.disable" [VMX]N/Avmware-cmd --server [SERVER] --username [USERNAME] --password [PASSWORD] /vmfs/volumes/[DATASTORE]/[VM]/[VM].vmx getguestinfo isolation.tools.unityActive.disableN/A# List the VMs and their current settingsGet-VM | Get-AdvancedSetting -Name "isolation.tools.unityActive.disable" | Select Entity, Name, Value# Add the setting to all VMsGet-VM | New-AdvancedSetting -Name "isolation.tools.unityActive.disable" -value $TrueSome automated tools and process may cease to functionN/Adisable-unexposed-features-unity-windowcontentsvSphere5.1Virtual MachinesMonitorDisable certain unexposed features. Because VMware virtual machines are designed to work on both vSphere as well as hosted virtualization platforms such as Workstation and Fusion, there are some VMX parameters that dont apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.1ParameterCheck virtual machine configuration file and verify that isolation.tools.unity.windowContents.disable is set to TRUEVMXisolation.tools.unity.windowContents.disableTRUEAddNOhttp://pubs.vmware.com/vsphere-51/topic/com.vmware.wssdk.apiref.doc/vim.option.OptionValue.htmlgrep -i "isolation.tools.unity.windowContents.disable" [VMX]N/Avmware-cmd --server [SERVER] --username [USERNAME] --password [PASSWORD] /vmfs/volumes/[DATASTORE]/[VM]/[VM].vmx getguestinfo isolation.tools.unity.windowContents.disableN/A# List the VMs and their current settingsGet-VM | Get-AdvancedSetting -Name "isolation.tools.unity.windowContents.disable" | Select Entity, Name, Value# Add the setting to all VMsGet-VM | New-AdvancedSetting -Name "isolation.tools.unity.windowContents.disable" -value $TrueSome automated tools and process may cease to functionN/Adisable-unexposed-features-unitypushvSphere5.1Virtual MachinesMonitorDisable certain unexposed features. Because VMware virtual machines are designed to work on both vSphere as well as hosted virtualization platforms such as Workstation and Fusion, there are some VMX parameters that dont apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.1ParameterCheck virtual machine configuration file and verify that isolation.tools.unity.push.update.disable is set to TRUEVMXisolation.tools.unity.push.update.disableTRUEModifyNOhttp://pubs.vmware.com/vsphere-51/topic/com.vmware.wssdk.apiref.doc/vim.option.OptionValue.htmlgrep -i "isolation.tools.unity.push.update.disable"N/Avmware-cmd --server [SERVER] --username [USERNAME] --password [PASSWORD] /vmfs/volumes/[DATASTORE]/[VM]/[VM].vmx getguestinfo isolation.tools.unity.push.update.disableN/A# List the VMs and their current settingsGet-VM | Get-AdvancedSetting -Name "isolation.tools.unity.push.update.disable" | Select Entity, Name, Value# Add the setting to all VMsGet-VM | New-AdvancedSetting -Name "isolation.tools.unity.push.update.disable" -value $trueN/Adisable-unexposed-features-versiongetvSphere5.1Virtual MachinesMonitorDisable certain unexposed features. Because VMware virtual machines are designed to work on both vSphere as well as hosted virtualization platforms such as Workstation and Fusion, there are some VMX parameters that dont apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.1ParameterCheck virtual machine configuration file and verify that isolation.tools.vmxDnDVersionGet.disable is set to TRUEVMXisolation.tools.vmxDnDVersionGet.disableTRUEAddNOhttp://pubs.vmware.com/vsphere-51/topic/com.vmware.wssdk.apiref.doc/vim.option.OptionValue.htmlgrep -i "isolation.tools.vmxDnDVersionGet.disable" [VMX]N/Avmware-cmd --server [SERVER] --username [USERNAME] --password [PASSWORD] /vmfs/volumes/[DATASTORE]/[VM]/[VM].vmx getguestinfo isolation.tools.vmxDnDVersionGet.disableN/A# List the VMs and their current settingsGet-VM | Get-AdvancedSetting -Name "isolation.tools.vmxDnDVersionGet.disable"| Select Entity, Name, Value# Add the setting to all VMsGet-VM | New-AdvancedSetting -Name "isolation.tools.vmxDnDVersionGet.disable" -value $trueSome automated tools and process may cease to functionN/Adisable-unexposed-features-versionsetvSphere5.1Virtual MachinesMonitorDisable certain unexposed features. Because VMware virtual machines are designed to work on both vSphere as well as hosted virtualization platforms such as Workstation and Fusion, there are some VMX parameters that dont apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.1ParameterCheck virtual machine configuration file and verify that isolation.tools.guestDnDVersionSet.disable is set to TRUEVMXisolation.tools.guestDnDVersionSet.disableTRUEAddNOhttp://pubs.vmware.com/vsphere-51/topic/com.vmware.wssdk.apiref.doc/vim.option.OptionValue.htmlgrep -i "isolation.tools.guestDnDVersionSet.disable" [VMX]N/Avmware-cmd --server [SERVER] --username [USERNAME] --password [PASSWORD] /vmfs/volumes/[DATASTORE]/[VM]/[VM].vmx getguestinfo isolation.tools.guestDnDVersionSet.disableN/A# List the VMs and their current settingsGet-VM | Get-AdvancedSetting -Name "isolation.tools.guestDnDVersionSet.disable"| Select Entity, Name, Value# Add the setting to all VMsGet-VM | New-AdvancedSetting -Name "isolation.tools.guestDnDVersionSet.disable" -value $trueSome automated tools and process may cease to functionN/Adisable-unnecessary-functionsvSphere5.1Virtual MachinesGuestDisable unnecessary or superfluous functions inside VMs. By disabling unnecessary system components that are not needed to support the application or service running on the system, you reduce the number of parts that can be attacked. VMs often dont require as many services or functions as ordinary physical servers; so when virtualizing, you should evaluate whether a particular service or function is truly needed. Any service running in a VM provides a potential avenue of attack. 1,2,3OperationalSome of these steps include: 1. Disable unused services in the operating system. For example, if the system runs a file server, make sure to turn off any Web services. 2. Disconnect unused physical devices, such as CD/DVD drives, floppy drives, and USB adaptors. This is described in the Removing Unnecessary Hardware Devices section in the ESXI Configuration Guide.3. Turn off any screen savers. If using a Linux, BSD, or Solaris guest operating system, do not run the X Window system unless it is necessary.N/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/Adisable-vix-messagesvSphere5.1Virtual MachinesToolsDisable VIX messages from the VMThe VIX API is a library for writing scripts and programs to manipulate virtual machines. If you do not make use of custom VIX programming in your environment, then you should consider disabling certain features to reduce the potential for vulnerabilities. The ability to send messages from the VM to the host is one of these features. Note that disabling this feature does NOT adversely affect the functioning of VIX operations that originate outside the guest, so certain VMware and 3rd party solutions that rely upon this capability should continue to work. This is a deprecated interface. Enabling this setting is for Profile 1 only, to ensure that any deprecated interface is turned off for audit purposes. 1ParameterCheck virtual machine configuration file and verify that isolation.tools.vixMessage.disable is set to TRUEVMXisolation.tools.vixMessage.disableTRUEAddNOhttp://pubs.vmware.com/vsphere-51/topic/com.vmware.wssdk.apiref.doc/vim.option.OptionValue.htmlgrep -i "isolation.tools.vixMessage.disable" [VMX]N/Avmware-cmd --server [SERVER] --username [USERNAME] --password [PASSWORD] /vmfs/volumes/[DATASTORE]/[VM]/[VM].vmx getguestinfo isolation.tools.vixMessage.disableN/A# List the VMs and their current settingsGet-VM | Get-AdvancedSetting -Name "isolation.tools.vixMessage.disable"| Select Entity, Name, Value# Add the setting to all VMsGet-VM | New-AdvancedSetting -Name "isolation.tools.vixMessage.disable" -value $trueGuest will no longer be able to send messages via VIX APIN/Adisconnect-devices-floppyvSphere5.1Virtual MachinesDeviceDisconnect unauthorized devicesBesides disabling unnecessary virtual devices from within the virtual machine, you should ensure that no device is connected to a virtual machine if it is not required to be there. For example, serial and parallel ports are rarely used for virtual machines in a datacenter environment, and CD/DVD drives are usually connected only temporarily during software installation. For less commonly used devices that are not required, either the parameter should not be present or its value must be FALSE. NOTE: The parameters listed are not sufficient to ensure that a device is usable; other parameters are required to indicate specifically how each device is instantiated. Any enabled or connected device represents another potential attack channel.1,2ParameterThe following parameters should either NOT be present or should be set to FALSE, unless Floppy drives are required: floppyX.presentVMXfloppyX.presentnot present or FALSEremove, modifyNOhttp://pubs.vmware.com/vsphere-51/topic/com.vmware.wssdk.apiref.doc/vim.vm.device.VirtualDevice.html grep -i "^floppy[0-9]*.present" [VMX]N/A1. vifs --server [SERVER] --username [USERNAME] --password [PASSWORD] -g "[DATASTORE] VM/VM.vmx" VM.vmx 2. grep -i "^floppy[0-9]*.present" [VMX]N/A# Check for Floppy Devices attached to VMsGet-VM | Get-FloppyDrive | Select Parent, Name, ConnectionState# Remove all Floppy drives attached to VMsGet-VM | Get-FloppyDrive | Remove-FloppyDriveVirtual machine will need to be powered off to reverse change if any of these devices are needed at a later time.N/Adisconnect-devices-idevSphere5.1Virtual MachinesDeviceDisconnect unauthorized devicesBesides disabling unnecessary virtual devices from within the virtual machine, you should ensure that no device is connected to a virtual machine if it is not required to be there. For example, serial and parallel ports are rarely used for virtual machines in a datacenter environment, and CD/DVD drives are usually connected only temporarily during software installation. For less commonly used devices that are not required, either the parameter should not be present or its value must be FALSE. NOTE: The parameters listed are not sufficient to ensure that a device is usable; other parameters are required to indicate specifically how each device is instantiated. Any enabled or connected device represents another potential attack channel.1,2ParameterThe following parameters should either NOT be present or should be set to FALSE, unless CD-ROM is required: ideX:Y.presentVMXideX:Y.presentnot present or FALSEremove, modifyNOhttp://pubs.vmware.com/vsphere-51/topic/com.vmware.wssdk.apiref.doc/vim.vm.device.VirtualDevice.htmlgrep -i "îde[0-9]*.present" [VMX]N/A1. vifs --server [SERVER] --username [USERNAME] --password [PASSWORD] -g "[DATASTORE] VM/VM.vmx" VM.vmx 2. grep -i "îde[0-9]*.present" [VMX]N/A# Check for CD/DVD Drives attached to VMsGet-VM | Get-CDDrive# Remove all CD/DVD Drives attached to VMsGet-VM | Get-CDDrive | Remove-CDDriveVirtual machine will need to be powered off to reverse change if any of these devices are needed at a later time.N/Adisconnect-devices-parallelvSphere5.1Virtual MachinesDeviceDisconnect unauthorized devicesBesides disabling unnecessary virtual devices from within the virtual machine, you should ensure that no device is connected to a virtual machine if it is not required to be there. For example, serial and parallel ports are rarely used for virtual machines in a datacenter environment, and CD/DVD drives are usually connected only temporarily during software installation. For less commonly used devices that are not required, either the parameter should not be present or its value must be FALSE. NOTE: The parameters listed are not sufficient to ensure that a device is usable; other parameters are required to indicate specifically how each device is instantiated. Any enabled or connected device represents another potential attack channel.1,2ParameterThe following parameters should either NOT be present or should be set to FALSE, unless Parallel ports are required: parallelX.presentVMXparallelX.presentnot present or FALSEremove, modifyNOhttp://pubs.vmware.com/vsphere-51/topic/com.vmware.wssdk.apiref.doc/vim.vm.device.VirtualDevice.htmlgrep -i "^parallel[0-9]*.present" [VMX]N/A1. vifs --server [SERVER] --username [USERNAME] --password [PASSWORD] -g "[DATASTORE] VM/VM.vmx" VM.vmx 2. grep -i "^parallel[0-9]*.present" [VMX]N/A# In this Example you will need to add the functions from this post: http://blogs.vmware.com/vipowershell/2012/05/working-with-vm-devices-in-powercli.html# Check for Parallel ports attached to VMsGet-VM | Get-ParallelPort# In this Example you will need to add the functions from this post: http://blogs.vmware.com/vipowershell/2012/05/working-with-vm-devices-in-powercli.html# Remove all Parallel Ports attached to VMsGet-VM | Get-ParallelPort | Remove-ParallelPortVirtual machine will need to be powered off to reverse change if any of these devices are needed at a later time.N/Adisconnect-devices-serialvSphere5.1Virtual MachinesDeviceDisconnect unauthorized devicesBesides disabling unnecessary virtual devices from within the virtual machine, you should ensure that no device is connected to a virtual machine if it is not required to be there. For example, serial and parallel ports are rarely used for virtual machines in a datacenter environment, and CD/DVD drives are usually connected only temporarily during software installation. For less commonly used devices that are not required, either the parameter should not be present or its value must be FALSE. NOTE: The parameters listed are not sufficient to ensure that a device is usable; other parameters are required to indicate specifically how each device is instantiated. Any enabled or connected device represents another potential attack channel.1,2ParameterThe following parameters should either NOT be present or should be set to FALSE, unless Serial ports are required: serialX.presentVMXserialX.presentnot present or FALSEremove, modifyNOhttp://pubs.vmware.com/vsphere-51/topic/com.vmware.wssdk.apiref.doc/vim.vm.device.VirtualDevice.htmlgrep -i "^serial[0-9]*.present" [VMX]N/A1. vifs --server [SERVER] --username [USERNAME] --password [PASSWORD] -g "[DATASTORE] VM/VM.vmx" VM.vmx 2. grep -i "^floppy[0-9]*.present" [VMX]N/A# In this Example you will need to add the functions from this post: http://blogs.vmware.com/vipowershell/2012/05/working-with-vm-devices-in-powercli.html# Check for Serial ports attached to VMsGet-VM | Get-SerialPort# In this Example you will need to add the functions from this post: http://blogs.vmware.com/vipowershell/2012/05/working-with-vm-devices-in-powercli.html# Remove all Serial Ports attached to VMsGet-VM | Get-SerialPort | Remove-SerialPortVirtual machine will need to be powered off to reverse change if any of these devices are needed at a later time.N/Adisconnect-devices-usbvSphere5.1Virtual MachinesDeviceDisconnect unauthorized devicesBesides disabling unnecessary virtual devices from within the virtual machine, you should ensure that no device is connected to a virtual machine if it is not required to be there. For example, serial and parallel ports are rarely used for virtual machines in a datacenter environment, and CD/DVD drives are usually connected only temporarily during software installation. For less commonly used devices that are not required, either the parameter should not be present or its value must be FALSE. NOTE: The parameters listed are not sufficient to ensure that a device is usable; other parameters are required to indicate specifically how each device is instantiated. Any enabled or connected device represents another potential attack channel.1,2ParameterThe following parameters should either NOT be present or should be set to FALSE, unless USB controllers are required: usb.presentVMXusb.presentnot present or FALSEremove, modifyNOhttp://pubs.vmware.com/vsphere-51/topic/com.vmware.wssdk.apiref.doc/vim.vm.device.VirtualDevice.htmlgrep -i "ûsb[0-9]*.present" [VMX]N/A1. vifs --server [SERVER] --username [USERNAME] --password [PASSWORD] -g "[DATASTORE] VM/VM.vmx" VM.vmx 2. grep -i "ûsb[0-9]*.present" [VMX]N/A# Check for USB Devices attached to VMsGet-VM | Get-USBDevice# Remove all USB Devices attached to VMsGet-VM | Get-USBDevice | Remove-USBDeviceVirtual machine will need to be powered off to reverse change if any of these devices are needed at a later time.N/Alimit-console-connections-onevSphere5.1Virtual MachinesCommunicationLimit sharing of console connectionsBy default, remote console sessions can be connected to by more than one user at a time. When multiple sessions are activated, each terminal window gets a notification about the new session. If an administrator in the VM logs in using a VMware remote console during their session, a nonadministrator in the VM might connect to the console and observe the administrator's actions. Also, this could result in an administrator losing console access to a virtual machine. For example if a jump box is being used for an open console session, and the admin loses connection to that box, then the console session remains open. Allowing two console sessions permits debugging via a shared session. For highest security, only one remote console session at a time should be allowed1,2ParameterCheck virtual machine configuration file and verify that RemoteDisplay.maxConnections is set to 1VMXRemoteDisplay.maxConnections1modifyNOhttp://pubs.vmware.com/vsphere-51/topic/com.vmware.wssdk.apiref.doc/vim.option.OptionValue.htmlgrep -i "RemoteDisplay.maxConnections" [VMX]N/Avmware-cmd --server [SERVER] --username [USERNAME] --password [PASSWORD] /vmfs/volumes/[DATASTORE]/[VM]/[VM].vmx getguestinfo RemoteDisplay.maxConnectionsN/A# List the VMs and their current settingsGet-VM | Get-AdvancedSetting -Name "RemoteDisplay.maxConnections" | Select Entity, Name, Value # Add the setting to all VMsGet-VM | New-AdvancedSetting -Name "RemoteDisplay.maxConnections" -value 1Only one remote console connection to the VM will be permitted. Other attempts will be rejected until the first session disconnects.N/Alimit-console-connections-twovSphere5.1Virtual MachinesCommunicationLimit sharing of console connectionsBy default, remote console sessions can be connected to by more than one user at a time. When multiple sessions are activated, each terminal window gets a notification about the new session. If an administrator in the VM logs in using a VMware remote console during their session, a nonadministrator in the VM might connect to the console and observe the administrator's actions. Also, this could result in an administrator losing console access to a virtual machine. For example if a jump box is being used for an open console session, and the admin loses connection to that box, then the console session remains open. Allowing two console sessions permits debugging via a shared session. For highest security, only one remote console session at a time should be allowed3ParameterCheck virtual machine configuration file and verify that RemoteDisplay.maxConnections is set to 2VMXRemoteDisplay.maxConnections2modifyNOhttp://pubs.vmware.com/vsphere-51/topic/com.vmware.wssdk.apiref.doc/vim.option.OptionValue.htmlgrep -i "RemoteDisplay.maxConnections" [VMX]N/Avmware-cmd --server [SERVER] --username [USERNAME] --password [PASSWORD] /vmfs/volumes/[DATASTORE]/[VM]/[VM].vmx getguestinfo RemoteDisplay.maxConnectionsN/A# List the VMs and their current settingsGet-VM | Get-AdvancedSetting -Name "RemoteDisplay.maxConnections" | Select Entity, Name, Value# Add the setting to all VMsGet-VM | New-AdvancedSetting -Name "RemoteDisplay.maxConnections" -value 2Only two remote console connections to the VM will be permitted. Other attempts will be rejected until the one session disconnects. This still allows sharing but keeps the amount of connections limitedN/Alimit-log-numbervSphere5.1Virtual MachinesToolsLimit VM loggingYou can use these settings to limit the total size and number of log files. Normally a new log file is created only when a host is rebooted, so the file can grow to be quite large. You can ensure that new log files are created more frequently by limiting the maximum size of the log files. If you want to restrict the total size of logging data, VMware recommends saving 10 log files, each one limited to 1,000KB. Datastores are likely to be formatted with a block size of 2MB or 4MB, so a size limit too far below this size would result in unnecessary storage utilization. Each time an entry is written to the log, the size of the log is checked; if it is over the limit, the next entry is written to a new log. If the maximum number of log files already exists, when a new one is created, the oldest log file is deleted. A denial-of-service attack that avoids these limits might be attempted by writing an enormous log entry. But each log entry is limited to 4KB, so no log files are ever more than 4KB larger than the configured limit. A second option is to disable logging for the virtual machine. Disabling logging for a virtual machine makes troubleshooting challenging and support difficult. You should not consider disabling logging unless the log file rotation approach proves insufficient. Uncontrolled logging can lead to denial of service due to the datastores being filled.2,3ParameterCheck virtual machine configuration file and verify that log.keepOld is set to 10VMXlog.keepOld10AddNOhttp://pubs.vmware.com/vsphere-51/topic/com.vmware.wssdk.apiref.doc/vim.option.OptionValue.htmlgrep -i "log.keepOld" [VMX]N/Avmware-cmd --server [SERVER] --username [USERNAME] --password [PASSWORD] /vmfs/volumes/[DATASTORE]/[VM]/[VM].vmx getguestinfo log.keepOldN/A# List the VMs and their current settingsGet-VM | Get-AdvancedSetting -Name "log.keepOld"| Select Entity, Name, Value# Add the setting to all VMsGet-VM | New-AdvancedSetting -Name "log.keepOld" -value "10"N/Alimit-log-sizevSphere5.1Virtual MachinesToolsLimit VM loggingYou can use these settings to limit the total size and number of log files. Normally a new log file is created only when a host is rebooted, so the file can grow to be quite large. You can ensure that new log files are created more frequently by limiting the maximum size of the log files. If you want to restrict the total size of logging data, VMware recommends saving 10 log files, each one limited to 1,000KB. Datastores are likely to be formatted with a block size of 2MB or 4MB, so a size limit too far below this size would result in unnecessary storage utilization. Each time an entry is written to the log, the size of the log is checked; if it is over the limit, the next entry is written to a new log. If the maximum number of log files already exists, when a new one is created, the oldest log file is deleted. A denial-of-service attack that avoids these limits might be attempted by writing an enormous log entry. But each log entry is limited to 4KB, so no log files are ever more than 4KB larger than the configured limit. A second option is to disable logging for the virtual machine. Disabling logging for a virtual machine makes troubleshooting challenging and support difficult. You should not consider disabling logging unless the log file rotation approach proves insufficient. Uncontrolled logging can lead to denial of service due to the datastores being filled.2,3ParameterCheck virtual machine configuration file and verify that log.rotateSize is set to 100000VMXlog.rotateSize 100000AddNOhttp://pubs.vmware.com/vsphere-51/topic/com.vmware.wssdk.apiref.doc/vim.option.OptionValue.htmlgrep -i "log.rotateSize " [VMX]N/Avmware-cmd --server [SERVER] --username [USERNAME] --password [PASSWORD] /vmfs/volumes/[DATASTORE]/[VM]/[VM].vmx getguestinfo log.rotateSize N/A# List the VMs and their current settingsGet-VM | Get-AdvancedSetting -Name "log.rotateSize"| Select Entity, Name, Value# Add the setting to all VMsGet-VM | New-AdvancedSetting -Name "log.rotateSize" -value "100000"N/Alimit-setinfo-sizevSphere5.1Virtual MachinesCommunicationLimit informational messages from the VM to the VMX file.The configuration file containing these name-value pairs is limited to a size of 1MB. This 1MB capacity should be sufficient for most cases, but you can change this value if necessary. You might increase this value if large amounts of custom information are being stored in the configuration file. The default limit is 1MB; this limit is applied even when the sizeLimit parameter is not listed in the .vmx file. Uncontrolled size for the VMX file can lead to denial of service if the datastore is filled.1,2,3ParameterCheck virtual machine configuration file and verify that tools.setInfo.sizeLimit is set to 1048576VMXtools.setInfo.sizeLimit1048576Add or ModifyNOhttp://pubs.vmware.com/vsphere-51/topic/com.vmware.wssdk.apiref.doc/vim.option.OptionValue.htmlgrep -i "tools.setInfo.sizeLimit" [VMX}N/Avmware-cmd --server [SERVER] --username [USERNAME] --password [PASSWORD] /vmfs/volumes/[DATASTORE]/[VM]/[VM].vmx getguestinfo tools.setInfo.sizeLimitN/A# List the VMs and their current settingsGet-VM | Get-AdvancedSetting -Name "tools.setInfo.sizeLimit" | Select Entity, Name, Value# Add the setting to all VMsGet-VM | New-AdvancedSetting -Name "tools.setInfo.sizeLimit" -value 1048576N/Aminimize-console-usevSphere5.1Virtual MachinesGuestMinimize use of the VM console. The VM console enables you to connect to the console of a virtual machine, in effect seeing what a monitor on a physical server would show. The VM console also provides power management and removable device connectivity controls, which might potentially allow a malicious user to bring down a virtual machine. In addition, it also has a performance impact on the service console, especially if many VM console sessions are open simultaneously.1,2,3OperationalInstead of VM console, use native remote management services, such as terminal services and ssh, to interact with virtual machines. Grant VM console access only when necessary.N/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/Aprevent-device-interaction-connectvSphere5.1Virtual MachinesDevicePrevent unauthorized removal, connection and modification of devices. Normal users and processesthat is, users and processes without root or administrator privilegeswithin virtual machines have the capability to connect or disconnect devices, such as network adaptors and CD-ROM drives, as well as the ability to modify device settings. In general, you should use the virtual machine settings editor or configuration editor to remove any unneeded or unused hardware devices. However, you might want to use the device again, so removing it is not always a good solution. In that case, you can prevent a user or running process in the virtual machine from connecting or disconnecting a device from within the guest operating system, as well as modifying devices, by adding the following parameters. By default, a rogue user with nonadministrator privileges in a virtual machine can: Connect a disconnected CD-ROM drive and access sensitive information on the media left in the drive Disconnect a network adaptor to isolate the virtual machine from its network, which is a denial of service Modify settings on a device1,2,3ParameterCheck virtual machine configuration file and verify that isolation.device.connectable.disable is set to TRUEVMXisolation.device.connectable.disableTRUEModifyNOhttp://pubs.vmware.com/vsphere-51/topic/com.vmware.wssdk.apiref.doc/vim.option.OptionValue.htmlgrep -i "isolation.device.connectable.disable" [VMX]N/Avmware-cmd --server [SERVER] --username [USERNAME] --password [PASSWORD] /vmfs/volumes/[DATASTORE]/[VM]/[VM].vmx getguestinfo isolation.device.connectable.disableN/A# List the VMs and their current settingsGet-VM | Get-AdvancedSetting -Name "isolation.device.connectable.disable" | Select Entity, Name, Value# Add the setting to all VMsGet-VM | New-AdvancedSetting -Name "isolation.device.connectable.disable" -value $trueDevice interaction is blocked inside the guest OS using VMware toolsN/Aprevent-device-interaction-editvSphere5.1Virtual MachinesDevicePrevent unauthorized removal, connection and modification of devices. Normal users and processesthat is, users and processes without root or administrator privilegeswithin virtual machines have the capability to connect or disconnect devices, such as network adaptors and CD-ROM drives, as well as the ability to modify device settings. In general, you should use the virtual machine settings editor or configuration editor to remove any unneeded or unused hardware devices. However, you might want to use the device again, so removing it is not always a good solution. In that case, you can prevent a user or running process in the virtual machine from connecting or disconnecting a device from within the guest operating system, as well as modifying devices, by adding the following parameters. By default, a rogue user with nonadministrator privileges in a virtual machine can: Connect a disconnected CD-ROM drive and access sensitive information on the media left in the drive Disconnect a network adaptor to isolate the virtual machine from its network, which is a denial of service Modify settings on a device1,2,3ParameterCheck virtual machine configuration file and verify that isolation.device.edit.disable is set to TRUEVMXisolation.device.edit.disableTRUEModifyNOhttp://pubs.vmware.com/vsphere-51/topic/com.vmware.wssdk.apiref.doc/vim.option.OptionValue.htmlgrep -i "isolation.device.edit.disable" [VMX]N/Avmware-cmd --server [SERVER] --username [USERNAME] --password [PASSWORD] /vmfs/volumes/[DATASTORE]/[VM]/[VM].vmx getguestinfo isolation.device.edit.disableN/A# List the VMs and their current settingsGet-VM | Get-AdvancedSetting -Name "isolation.device.edit.disable" | Select Entity, Name, Value# Add the setting to all VMsGet-VM | New-AdvancedSetting -Name "isolation.device.edit.disable" -value $trueDevice interaction is blocked inside the guest OS using VMware toolsN/Arestrict-host-infovSphere5.1Virtual MachinesToolsDo not send host information to guests.If set to TRUE a VM can obtain detailed information about the physical host. The default value for the parameter is FALSE. This setting should not be TRUE unless a particular VM requires this information for performance monitoring. An adversary potentially can use this information to inform further attacks on the host.1,2ParameterCheck virtual machine configuration file and verify that tools.guestlib.enableHostInfo is set to FALSEVMXtools.guestlib.enableHostInfoFALSEModifyYEShttp://pubs.vmware.com/vsphere-51/topic/com.vmware.wssdk.apiref.doc/vim.option.OptionValue.htmlgrep -i "tools.guestlib.enableHostInfo" [VMX]N/Avmware-cmd --server [SERVER] --username [USERNAME] --password [PASSWORD] /vmfs/volumes/[DATASTORE]/[VM]/[VM].vmx getguestinfo tools.guestlib.enableHostInfoN/A# List the VMs and their current settingsGet-VM | Get-AdvancedSetting -Name "tools.guestlib.enableHostInfo"| Select Entity, Name, Value# Add the setting to all VMsGet-VM | New-AdvancedSetting -Name "tools.guestlib.enableHostInfo" -value $falseUnable to retrieve performance information about the host from inside the guest, there are times when this can be useful for troubleshooting.N/Asecure-guest-osvSphere5.1Virtual MachinesGuestSecure virtual machines as you would secure physical machines. A key to understanding the security requirements of a virtualized environment is the recognition that a virtual machine is, in most respects, the equivalent of a physical server. Therefore, it is critical that you employ the same security measures in virtual machines that you would for physical servers. The guest operating system that runs in the virtual machine is subject to the same security risks as a physical system.1,2,3OperationalEnsure that antivirus, antispyware, intrusion detection, and other protection are enabled for every virtual machine in your virtual infrastructure. Make sure to keep all security measures up-to-date, including applying appropriate patches. It is especially important to keep track of updates for dormant virtual machines that are powered off, because it can be easy to overlook them.N/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/Ause-secure-serial-communicationvSphere5.1Virtual MachinesGuestUse secure protocols for virtual serial port access. Serial ports are interfaces for connecting peripherals to the virtual machine. They are often used on physical systems to provide a direct, low-level connection to the console of a server, and a virtual serial port allows for the same access to a virtual machine. Serial ports allow for low-level access, which often does not have strong controls like logging or privileges.1,2,3OperationalUse a secure protocol like Telnets (Telnet with SSL) as opposed to Telnet to access virtual serial ports.N/AN/AN/AN/AN/AN/AN/AN/AN/AN/Ause-vm-templatesvSphere5.1Virtual MachinesGuestUse templates to deploy VMs whenever possible. By capturing a hardened base operating system image (with no applications installed) in a template, you can ensure that all your virtual machines are created with a known baseline level of security. You can then use this template to create other, application-specific templates, or you can use the application template to deploy virtual machines. Manual installation of the OS and applications into a VM introduces the risk of misconfiguration due to human or process error.1,2,3OperationalProvide templates for VM creation that contain hardened, patched, and properly configured OS deployments. If possible, predeploy applications in templates as well, although care should be taken that the application doesnt depend upon VM-specific information to be deployed. In vSphere, you can convert a template to a virtual machine and back again quickly, which makes updating templates quite easy. VMware Update Manager also provides the ability to automatically patch the operating system and certain applications in a template, thereby ensuring that they remain up to date.N/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/Averify-network-filtervSphere5.1Virtual MachinesMonitorControl access to VMs through the dvfilter network APIs. A VM must be configured explicitly to accept access by the dvfilter network API. This should be done only for VMs for which you want this to be done. An attacker might compromise the VM by making use of this introspection channel.1,2,3ParameterIf a VM is not supposed to be protected by a product using the dvfilter API, ensure that the following is not present in its VMX file: ethernet0.filter1.name = dv-filter1where ethernet0 is the network adaptor interface of the virtual machine that is to be protected, filter1 is the number of the filter that is being used, and dv-filter1 is the name of the particular data path kernel module that is protecting the VM. If the VM is supposed to be protected, ensure that the name of the data path kernel is set correctly.VMXethernetn.filtern.name = filternameundefined unless using dvfiltermodify or removeYEShttp://pubs.vmware.com/vsphere-51/topic/com.vmware.wssdk.apiref.doc/vim.option.OptionValue.htmlgrep -i "êthernet[0-9]*.filter[0-9]*.name" [VMX]N/A1. vifs --server [SERVER] --username [USERNAME] --password [PASSWORD] -g "[DATASTORE] VM/VM.vmx" VM.vmx 2. grep -i "êthernet[0-9]*.filter[0-9]*.name" [VMX]N/A# List the VMs and their current settingsGet-VM | Get-AdvancedSetting -Name "ethernetn.filtern.name*" | Select Entity, Name, Valueincorrectly configuring this option can negatively impact functionality of tools that use vmsafe API.N/Averify-vmsafe-cpumem-agentaddressvSphere5.1Virtual MachinesMonitorControl access to VMs through VMsafe CPU/memory APIs.The VMsafe CPU/memory API allows a security virtual machine to inspect and modify the contents of the memory and CPU registers on other VMs, for the purpose of detecting and preventing malware attacks. However, an attacker might compromise the VM by making use of this introspection channel; therefore you should monitor for unauthorized usage of this API. A VM must be configured explicitly to accept access by the VMsafe CPU/memory API. This involves three parameters: one to enable the API, one to set the IP address used by the security virtual appliance on the introspection vSwitch, and one to set the port number for that IP address. If the VM is being protected by such a product, then make sure the latter two parameters are set correctly. This should be done only for specific VMs for which you want this protection. 1,2,3ParameterIf the VM is not being protected by a VMsafe CPU/memory product, then check virtual machine configuration file and verify that vmsafe.agentAddress is not present. If it is being protect by a VMsafe CPU/Memory product, make sure this is set to the correct valueVMXvmsafe.agentAddressnot present, or site-specificmodify or removeYEShttp://pubs.vmware.com/vsphere-51/topic/com.vmware.wssdk.apiref.doc/vim.option.OptionValue.htmlgrep -i vmsafe.agentAddress [VMX]N/Avmware-cmd --server [SERVER] --username [USERNAME] --password [PASSWORD] /vmfs/volumes/[DATASTORE]/[VM]/[VM].vmx getguestinfo vmsafe.agentAddressN/A# List the VMs and their current settingsGet-VM | Get-AdvancedSetting -Name "vmsafe.agentAddress" | Select Entity, Name, Valueincorrectly configuring this option can negatively impact functionality of tools that use vmsafe API.N/Averify-vmsafe-cpumem-agentportvSphere5.1Virtual MachinesMonitorControl access to VMs through VMsafe CPU/memory APIs.The VMsafe CPU/memory API allows a security virtual machine to inspect and modify the contents of the memory and CPU registers on other VMs, for the purpose of detecting and preventing malware attacks. However, an attacker might compromise the VM by making use of this introspection channel; therefore you should monitor for unauthorized usage of this API. A VM must be configured explicitly to accept access by the VMsafe CPU/memory API. This involves three parameters: one to enable the API, one to set the IP address used by the security virtual appliance on the introspection vSwitch, and one to set the port number for that IP address. If the VM is being protected by such a product, then make sure the latter two parameters are set correctly. This should be done only for specific VMs for which you want this protection. 1,2,3ParameterIf the VM is not being protected by a VMsafe CPU/memory product, then check virtual machine configuration file and verify that vmsafe.agentPort is not present. If it is being protect by a VMsafe CPU/Memory product, make sure this is set to the correct valueVMXvmsafe.agentPortnot present, or site-specificmodify or removeYEShttp://pubs.vmware.com/vsphere-51/topic/com.vmware.wssdk.apiref.doc/vim.option.OptionValue.htmlgrep -i vmsafe.agentPort [VMX]N/Avmware-cmd --server [SERVER] --username [USERNAME] --password [PASSWORD] /vmfs/volumes/[DATASTORE]/[VM]/[VM].vmx getguestinfo vmsafe.agentPortN/A# List the VMs and their current settingsGet-VM | Get-AdvancedSetting -Name "vmsafe.agentPort"| Select Entity, Name, Valueincorrectly configuring this option can negatively impact functionality of tools that use vmsafe API.N/Averify-vmsafe-cpumem-enablevSphere5.1Virtual MachinesMonitorControl access to VMs through VMsafe CPU/memory APIs.The VMsafe CPU/memory API allows a security virtual machine to inspect and modify the contents of the memory and CPU registers on other VMs, for the purpose of detecting and preventing malware attacks. However, an attacker might compromise the VM by making use of this introspection channel; therefore you should monitor for unauthorized usage of this API. A VM must be configured explicitly to accept access by the VMsafe CPU/memory API. This involves three parameters: one to enable the API, one to set the IP address used by the security virtual appliance on the introspection vSwitch, and one to set the port number for that IP address. If the VM is being protected by such a product, then make sure the latter two parameters are set correctly. This should be done only for specific VMs for which you want this protection. 1,2,3ParameterIf the VM is not being protected by a VMsafe CPU/memory product, then check virtual machine configuration file and verify that vmsafe.enable is either not present, or set to FALSEVMXvmsafe.enableFALSE or not presentmodify or removeYEShttp://pubs.vmware.com/vsphere-51/topic/com.vmware.wssdk.apiref.doc/vim.option.OptionValue.htmlgrep -i vmsafe.enable [VMX]N/Avmware-cmd --server [SERVER] --username [USERNAME] --password [PASSWORD] /vmfs/volumes/[DATASTORE]/[VM]/[VM].vmx getguestinfo vmsafe.enableN/A# List the VMs and their current settingsGet-VM | Get-AdvancedSetting -Name "vmsafe.enable"| Select Entity, Name, Valueincorrectly configuring this option can negatively impact functionality of tools that use vmsafe API.N/A

ESXiIDProductVersionComponentSubcomponentTitleVulnerability DiscussionProfileControl TypeAssessment ProcedureConfiguration FileConfiguration ParameterDesired ValueChange TypeIs desired value the default?vSphere APIESXi Shell Command AssessmentESXi Shell Command RemediationvCLI Command AssessmentvCLI Command RemediationPowerCLI Command AssessmentPowerCLI Command RemediationNegative Functional ImpactReferenceAble to set using Host Profile?apply-patchesvSphere5.1ESXIInstallKeep ESXi system properly patched.By staying up to date on ESXi patches, vulnerabilities in the hypervisor can be mitigated. An educated attacker can exploit known vulnerabilities when attempting to attain access or elevate privileges on an ESXi host. 1,2,3OperationalEmploy a process to keep ESXi hosts up to date with patches in accordance with industry-standards and internal guidelines. VMware Update Manager is an automated tool that can greatly assist with this. VMware also publishes Advisories on security patches, and offers a way to subscribe to email alerts for them.N/AN/AN/AUpdateN/AN/A# esxcli software profile get / # esxcli software vib get# esxcli software profile update / # esxcli software vib update# esxcli software profile get / # esxcli software vib get# esxcli software profile update / # esxcli software vib update# VMware Update Manager PowerCLI Cmdlets can be used to check this feature# VMware Update Manager PowerCLI Cmdlets can be used to check this featurehttp://pubs.vmware.com/vsphere-51/topic/com.vmware.vsphere.update_manager.doc/GUID-EF6BEE4C-4583-4A8C-81B9-5B074CA2E272.htmlNOconfig-firewall-accessvSphere5.1ESXICommunicationConfigure the ESXi host firewall to restrict access to services running on the host Unrestricted access to services running on an ESXi host can expose a host to outside attacks and unauthorized access. Reduce the risk by configuring the ESXi firewall to only allow access from authorized networks.1,2,3ConfigurationFrom the vSphere web client, select the host and go to "Manage" -> "Security Profile". In the "Firewall" section select "Edit...". For each enabled service, (e.g. ssh, vSphere Web Access, http client) provide a range of allowed IP addresses.N/AN/ASite SpecificModifyNOhttp://pubs.vmware.com/vsphere-51/topic/com.vmware.wssdk.apiref.doc/vim.host.ServiceSystem.html#List all services: ls /etc/init.d #get service status: /etc/init.d/[SERVICE] status# /etc/init.d/[SERVICE] STOPN/AN/A# List all services for a hostGet-VMHost HOST1 | Get-VMHostService# List the services which are enabled and have rules defined for specific IP ranges to access the serviceGet-VMHost HOST1 | Get-VMHostFirewallException | Where {$_.Enabled -and (-not $_.ExtensionData.AllowedHosts.AllIP)}# List the services which are enabled and do not have rules defined for specific IP ranges to access the serviceGet-VMHost HOST1 | Get-VMHostFirewallException | Where {$_.Enabled -and ($_.ExtensionData.AllowedHosts.AllIP)}N/AOnly systems in the IP whitelist/ACL will be able to connect to services on the ESXi serverhttp://pubs.vmware.com/vsphere-51/topic/com.vmware.vsphere.security.doc/GUID-DD4322FF-3DC4-4716-8819-6688938F99D7.htmlYESconfig-ntpvSphere5.1ESXICommunicationConfigure NTP time synchronizationBy ensuring that all systems use the same relative time source (including the relevant localization offset), and that the relative time source can be correlated to an agreed-upon time standard (such as Coordinated Universal TimeUTC), you can make it simpler to track and correlate an intruders actions when reviewing the relevant log files. Incorrect time settings can make it difficult to inspect and correlate log files to detect attacks, and can make auditing inaccurate.1,2,3ParameterFrom the vSphere web client select the host and click "Manage" -> "Time Configuration" and click the "Edit..." button. Provide the name/IP of your NTP servers, start the NTP service and change the startup policy to "Start and stop with host". Notes: verify the NTP firewall ports are open. It is recommended to synchronize the ESXi clock with a time server that is located on the management network rather than directly with a time server on a public network. This time server can then synchronize with a public source through a strictly controlled network connection with a firewall. /etc/ntp.confN/ASite SpecificModifyNOhttp://pubs.vmware.com/vsphere-51/topic/com.vmware.wssdk.apiref.doc/vim.host.DateTimeSystem.htmlN/AN/A# vicfg-ntp --list# vicfg-ntp --add # List the NTP Settings for all hostsGet-VMHost | Select Name, @{N="NTPSetting";E={$_ | Get-VMHostNtpServer}}# Set the NTP Settings for all hosts$NTPServers = "pool.ntp.org", "pool2.ntp.org"Get-VMHost | Add-VmHostNtpServer $NTPServershttp://pubs.vmware.com/vsphere-51/topic/com.vmware.vcli.examples.doc/cli_manage_networks.11.9.htmlYESconfig-persistent-logsvSphere5.1ESXILoggingConfigure persistent logging for all ESXi hostESXi can be configured to store log files on an in-memory file system. This occurs when the host's "/scratch" directory is linked to "/tmp/scratch". When this is done only a single day's worth of logs are stored at any time, in addition log files will be reinitialized upon each reboot. This presents a security risk as user activity logged on the host is only stored temporarily and will not persistent across reboots. This can also complicate auditing and make it harder to monitor events and diagnose issues. ESXi host logging should always be configured to a persistent datastore.1,2,3ParameterLogon to the ESXi shell and run "ls -al /" to verify "/scratch" is not linked to "/tmp/scratch". If "/scratch" is linked to "/tmp/scratch" change it to a persistent datastore. First, Identify the datastore path where you want to place scratch, then login to the vSphere web client, navigating to the host and select "Manage" -> "Advanced System Settings", enter "Syslog.global.LogDir" in the filter. Set the "Syslog.global.LogDir" to the desired datastore path. Note: the Syslog.global.LogDir must be set for each host. The host syslog parameters can also be configured the vCLI or PowerCLI, or using an API client. N/ASyslog.global.logDirSite SpecificModifyWhen booting from a local disk YES. When booting from USB/SD or when using Auto Deploy NO.http://pubs.vmware.com/vsphere-51/topic/com.vmware.wssdk.apiref.doc/vim.option.OptionManager.html# esxcli system syslog config get# esxcli system syslog config set --logDir# esxcli system syslog config get# esxcli system syslog config set --logDir# List Syslog.global.logDir for each hostGet-VMHost | Select Name, @{N="Syslog.global.logDir";E={$_ | Get-VMHostAdvancedConfiguration Syslog.global.logDir | Select -ExpandProperty Values}}# Set Syslog.global.logDir for each hostGet-VMHost | Foreach { Set-VMHostAdvancedConfiguration -VMHost $_ -Name Syslog.global.logDir -Value "NewLocation" }http://pubs.vmware.com/vsphere-51/topic/com.vmware.vsphere.install.doc/GUID-9F67DB52-F469-451F-B6C8-DAE8D95976E7.html http://kb.vmware.com/kb/1033696YESconfig-snmpvSphere5.1ESXICommunicationEnsure proper SNMP configurationIf SNMP is not being used, it should remain disabled. If it is being used, the proper trap destination should be configured. If SNMP is not properly configured, monitoring information can be sent to a malicious host that can then use this information to plan an attack. Note: ESXi 5.1 supports SNMPv3 which provides stronger security than SNMPv1 or SNMPv2, including key authentication and encryption.1,2,3ParameterFrom the ESXi Shell or vCLI run "esxcli system snmp get" to determine if SNMP is being used. If SNMP is not being used, make sure that it is disabled by running "esxcli system snmp set --enable false". If SNMP is being used, refer to the vSphere Monitoring and Performance guide, chapter 8 for steps to configure the required parameters. Notes: (1) SNMP must be configured on each ESXi host. (2) you can also set SNMP settings using Host Profiles./etc/vmware/snmp.xmlN/Asite-specificModifyN/Ahttp://pubs.vmware.com/vsphere-51/topic/com.vmware.wssdk.apiref.doc/vim.host.SnmpSystem.html# esxcli system snmp get# Configure Community Stringesxcli system snmp set --communities [COMMUNITY]# Configure SN

hardeningguide vsphere5 1 ga release public

Documents