Hardening Virtual Machines


By design, virtual machines (VMs) are isolated from other virtual machines. Part of the hardening process for each VM is to look at the security guidelines of the guest operating system for the VM.

Each VM has a .vmx file which is the main configuration file of a Virtual Machine. This file governs the behavior of the virtual hardware and contains many settings for the VM. There are two ways to view the parameters and values for the VM.

One way to view the config file, which is an .ascii file, is from a command line. In a Putty session, go to the directory containing the VM files:

# cd /vmfs/volumes/[storage]/[vm_name]/

[ storage] = the current datastore for the VM

[vm_name] = the name of the VM

Next, run a command ls to see the files in the VM’s encapsulated directory.

Now using command-line tools such as the vi editor, you can modify the VM’s .vmx config file. You can also use the vSphere Client to make additions or modifications to the VM’s configuration. You must restart the VM for most changes to take effect when you modify VM settings using this method.

Configuration settings can also be changed using the vSphere Client. Login to vCenter server or Esxi server and select the VM in question, right-click, and select Edit Settings > Options > General > Configuration Parameters (see below figure)

vmhd1

Limiting the Number of Consoles for the VM

By default, remote console sessions to a VM can be connected to by more than one user at a time. If an administrator is doing something from remote console, a non-administrator in the VM could connect to the console during the session and observe the administrator’s actions. Thus, to limit the number of entry points to a VM to a single point, you need to apply a security setting by adding the following line to the VM’s config file:

RemoteDisplay.maxConnections=”1″

This will limit the number of simultaneous console connection to 1.

Prevent Virtual Disk Shrinking

The shrinking of a virtual disk reclaims space in the virtual disk. If this process is done repeatedly, the virtual disk can become unavailable and cause a denial of service. To prevent shrinking of virtual disks for a VM add the below values in its .vmx file.

isolation.tools.diskWiper.disable=”TRUE”

isolation.tools.diskShrink.disable=”TRUE”

If these values are set to true in the VM’s config file, the administrator cannot shrink the disk:

Restrict Copy and Paste to a Remote Console from the Clipboard

After you install VMware tools into a VM, you have the ability to copy and paste between the guest operating system and the computer where the remote console is running. VMware recommends that you keep the copy-and-paste ability to the VM disabled.Enter the following values in Virtual machine config file to restrict copy paste:

isolation.tools.copy.disable=”TRUE”

isolation.tools.paste.disable=”TRUE”

This is disabled by default since vSphere 4.1.

Control Virtual Hardware Usage

Non-root users and processes within VMs have the ability to connect or disconnect devices, such as CD-ROM drives or a USB controller. One way to disable the virtual hardware is to simply remove the device from the VM. However, if you do not want to remove the device but still want to prevent a user or process from connecting to the device within the guest operating system, you can add these lines to the VM .vmx config file:

isolation.device.connectable.disable=”TRUE”

isolation.device.edit.disable=”TRUE”

Restrict the VMCI Interface

The Virtual Machine Communication Interface (VMCI) is designed to allow communication from VM to VM. The main objective of VMCI was to provide a socket based framework for a new generation of applications that will exist only on VMs. If VMCI is compromised, one VM could be used to attack another VM, so this value should be disabled, which is the default.

To display the status of VMCI, highlight the ESXi host, right-click the mouse, and select Edit Properties. The Virtual Machine Properties window displays, as shown in Figure 8-14. The Hardware tab lists all the hardware devices including the VMCI device, which is currently in the state of Unrestricted or disabled. See the below figure where VMCI is enabled:

vmhd2

About Alex Hunt

Hi All I am Manish Kumar Jha aka Alex Hunt. I am currently working in VMware Software India Pvt Ltd as Operations System Engineer (vCloud Air Operations). I have around 5 Years of IT experience and have exposure on VMware vSphere, vCloud Director, RHEL and modern data center technologies like Cisco UCS and Cisco Nexus 1000v and NSX. If you find any post informational to you please press like and share it across social media and leave your comments if you want to discuss further on any post. Disclaimer: All the information on this website is published in good faith and for general information purpose only. I don’t make any warranties about the completeness, reliability and accuracy of this information. Any action you take upon the information you find on this blog is strictly at your own risk. The Views and opinions published on this blog are my own and not the opinions of my employer or any of the vendors of the product discussed.
This entry was posted in Vmware. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s