vSphere 6 Security Best Practices for Virtual Machines (Part-1)

(i)  By default, Copy and Paste Operations Between Guest Operating System and Remote Console are disabled. For a secure environment, retain the default setting. If required to enable it, follow the following steps:
1.  Turn off the virtual machine.
2.  Log into a vCenter Server system using the vSphere Web Client.
3.  Right-click the virtual machine and click Edit Settings.
4.  Click VM Options, and then expand “Advanced“. Click “Edit Configuration“.
5.  Click “Add Row” to add the following names and values:

Name Value
isolation.tools.copy.disable true
isolation.tools.paste.disable true

These options override any settings made in the guest operating system’s VMware Tools control panel.
6.  Click OK.

(ii) By default, a vSphere admin can interact with files and programs within a virtual machine’s guest operating system. To reduce the risk of breaching guest confidentiality, availability, or integrity, create a non-guest access role without the Guest Operations privilege. This is done to restrict users with admin privileges from running commands within a VM.

1.  Log in to the vSphere Web Client as administrator@vsphere.local.
2.  Go to Administration > Roles
3.  Click the “+” icon to create a new role and enter the name as “Administrator-No-Guest-Access“.
4.  Select All Privileges and then de-select All Privileges.Virtual machine.Guest Operations to remove the Guest Operations set of privileges.
5.  Click OK.

(iii) You can prevent users without root or administrator privileges within the VM to connect or disconnect devices, such as network adaptors and CD-ROM drives, and the ability to modify device settings. Follow the steps below to disallow it:

1.  Turn off the virtual machine.
2.  Log into a vCenter Server system using the vSphere Web Client.
3.  Right-click the virtual machine and click Edit Settings.
4.  Click VM Options, and then expand “Advanced“. Click “Edit Configuration“.
5.  Click “Add Row” to add the following names and values:

Name Value
isolation.device.connectable.disable true
isolation.device.edit.disable true

These options override any settings made in the guest operating system’s VMware Tools control panel.
6.  Click OK.

(iv) Configure VM setting to prevent virtual disk shrinking for a VM; shrinking a virtual disk reclaims the disk’s unused space but if you shrink a virtual disk repeatedly, the disk can become unavailable and cause a denial of service. Follow the steps below to disable the ability to shrink virtual disks:

1.  Turn off the virtual machine.
2.  Log into a vCenter Server system using the vSphere Web Client.
3.  Right-click the virtual machine and click Edit Settings. Make sure the logged in user “root” has administrator privileges on the VM.
4.  Click VM Options, and then expand “Advanced“. Click “Edit Configuration“.
5.  Click “Add Row” to add the following names and values:

Name Value
isolation.tools.diskWiper.disable true
isolation.tools.diskShrink.disable true

These options override any settings made in the guest operating system’s VMware Tools control panel.
6.  Click OK.

Note: Once disabled, you can not shrink VM disks when a datastore runs out of space.

(v) Restrict user access to virtual machine console and limit concurrent connections to as few possible (default value = 40).

1.  Turn off the virtual machine.
2.  Log into a vCenter Server system using the vSphere Web Client.
3.  Right-click the virtual machine and click Edit Settings.
4.  Click VM Options, and then expand “VM Remote Console Options“.
5.  Modify the value for “Maximum number of sessions” from default 40 to 1. This will allow only one VM console session to be active.
6.  Click OK.

Next, to limit users from having access to VM Console:

1.  Log in to the vSphere Web Client as administrator@vsphere.local.
2.  Go to Administration > Roles
3.  Click the “+” icon to create a new role and enter the name as “Administrator-No-VM-Console-Access“.
4.  Select All Privileges and then de-select All Privileges.Virtual machine.Interaction.Console interaction to remove the access to VM console.
5.  Click OK.

Now, select the VM and modify the permission for a specific user by changing the role; refer to the screen-shots below.

 

References:

  1. VMware vSphere 6.0 Security Guide

Leave a Reply

Your email address will not be published. Required fields are marked *

*
*
Website