Security
Considerations for Configuring VMware Tools
Some VMware Tools
settings might expose security risks. For example, VMware Tools enables you to
connect virtual devices such as serial and parallel ports to virtual machines.
A connected device might be a potential channel of attack. To harden a virtual
machine and reduce security risks as much as possible, disable the VMware Tools
features that might be vulnerable to security threats.
For complete information
about securely deploying VMware vSphere in a production environment, including
security recommendations for hosts, virtual machines, management components,
and a networking infrastructure, see the
vSphere Hardening
Guide
. VMware Tools settings relate only to the virtual machine aspect
of a deployment.
Virtual machines are
encapsulated in a small number of files. Of these, the configuration file
(
.vmx
file)
governs the performance of the virtual hardware and other settings. You can use
several methods to see and modify the configuration settings:
- Use the vSphere Web Client to edit virtual machine settings. In the vSphere Web Client, editing these configuration parameters is an advanced option in the virtual machineEdit Settingsdialog box.
- Use the vSphere Host Client to edit virtual machine settings. In the vSphere Host Client, editing these configuration parameters is an advanced option in the virtual machineEdit Settingsdialog box.
- Use a vSphere API-based tool, such as Power CLI, to view and modify.vmxparameters.
After you edit a setting, the
change does not take effect until you restart the virtual machine.
You can eliminate several
potential threats by setting parameters appropriately in the corresponding
VMware Tools parameters to set in the virtual machine's
.vmx
file. The
defaults for many of these parameters are already set to protect virtual
machines from these threats.
Threats Associated
with Unprivileged User Accounts
- Copy and paste
- By default, the ability to copy and paste text, graphics, and files is disabled, as is the ability to drag and drop files. When this option is enabled, you can copy and paste rich text, and depending on the VMware product, graphics and files from your clipboard to the guest operating system in a virtual machine. That is, when the console window of a virtual machine gains focus, nonprivileged users and processes running in the virtual machine can access the clipboard on the computer where the console window is running. To avoid risks associated with this feature, retain the following.vmxsettings, which disable copying and pasting:isolation.tools.copy.disable = "TRUE" isolation.tools.paste.disable = "TRUE"
Threats Associated
with Virtual Devices
- Connecting and modifying devices
- By default, the ability to connect and disconnect devices is disabled. When this feature is enabled, users and processes without root or administrator privileges can connect devices such as network adapters and CD-ROM drives, and they can modify device settings. That is, a user can connect a disconnected CD-ROM drive and access sensitive information on the media that is in the drive. A user can also disconnect a network adapter to isolate the virtual machine from its network, which is a denial of service. To avoid risks associated with this feature, retain the following.vmxsettings, which disable the ability to connect and disconnect devices or to modify device settings:isolation.device.connectable.disable = "TRUE" isolation.device.edit.disable = "TRUE"
Threats Associated
with Virtual Machine Information Flow
- VMX file size
- By default the configuration file is limited to a size of 1 MB because uncontrolled size for the file can lead to a denial of service if the datastore runs out of disk space. Informational messages are sometimes sent from the virtual machine to the.vmxfile. These setinfo messages define virtual machine characteristics or identifiers by writing name-value pairs to the file. You might need to increase the size of the file if large amounts of custom information must be stored in the file. The property name istools.setInfo.sizeLimit, and you specify the value in kilobytes. Retain the following.vmxsetting:tools.setInfo.sizeLimit = "1048576"
- Sending performance counters into PerfMon
- You can integrate virtual machine performance counters for CPU and memory into PerfMon for Linux and Microsoft Windows guest operating systems. This provides detailed information about the physical host available to the guest operating system. A malicious user could potentially use this information to perform further attacks on the host. By default this feature is disabled. Retain the following.vmxsetting to prevent host information from being sent to the virtual machine:tools.guestlib.enableHostInfo = "FALSE"This setting blocks some but not all metrics. If you set this property toFALSE, the following metrics are blocked:
- GUESTLIB_HOST_CPU_NUM_CORES
- GUESTLIB_HOST_CPU_USED_MS
- GUESTLIB_HOST_MEM_SWAPPED_MB
- GUESTLIB_HOST_MEM_SHARED_MB
- GUESTLIB_HOST_MEM_USED_MB
- GUESTLIB_HOST_MEM_PHYS_MB
- GUESTLIB_HOST_MEM_PHYS_FREE_MB
- GUESTLIB_HOST_MEM_KERN_OVHD_MB
- GUESTLIB_HOST_MEM_MAPPED_MB
- GUESTLIB_HOST_MEM_UNMAPPED_MB
- Features not exposed in vSphere that could cause vulnerabilities
- Because VMware virtual machines run in many VMware products in addition to vSphere, some virtual machine parameters do not apply in a vSphere environment. Although these features do not appear in vSphere user interfaces, disabling them reduces the number of vectors through which a guest operating system could access a host. Use the following.vmxsetting to disable these features:isolation.tools.unity.push.update.disable = "TRUE" isolation.tools.ghi.launchmenu.change = "TRUE" isolation.tools.ghi.autologon.disable = "TRUE" isolation.tools.hgfsServerSet.disable = "TRUE" isolation.tools.memSchedFakeSampleStats.disable = "TRUE" isolation.tools.getCreds.disable = "TRUE"