If you look a couple of posts back you ll see that Ive been doing some hardening of the ESX service console, this week I thought id post about some of the changes Ive made to A. To my production virtual machines already built, and B. To the templates to ensure any machines deployed from these templates will automatically have the hardened options applied.
Personally I think its disappointing VMware tools is configured like this by default, I would much prefer every option be disabled out of the box and if customers want to use one of the features, then let them enable it.
Just before I get into it, I thought it would be worth mentioning you can apply these directives by pasting directly into the Virtual Machines .VMX file or by configuring the advanced options for each virtual machine using the VC client. In both cases the virtual machine needs to be powered completely off and back on again for changes to apply.
Now If you log onto a Virtual Machine with VMware tools installed as a standard user you ll notice that you have the ability to perform any of the various functions built into VMware tools. Below I’m going to go over a few things Ive done and give a brief description of why its a good idea.
Disable Copy and Paste operations
By default VMware tools allows copy and paste operation between the virtual machine operating system and the computer the virtual center client is running. The following changes are to prevent sensitive data from being accidentally left in the clipboard and a non privileged user from being able to paste this information from another vc session.
isolation.tools.copy.disable = “true”
isolation.tools.paste.disable = “true”
Disable Disk Shrink
Ok, now this one in the hardening guide is listed as “Avoid Denial of Service caused by Virtual Disk Operations”, so its probably one I would class as fairly important, denial of service is never a good thing.
isolation.tools.diskWiper.disable = “true”
isolation.tools.diskShrink.disable = “true”
I did want to mention here though that while most people I suspect will never miss this feature, I do actually use this every now and then on our file servers and here’s why. If you have a Virtual Machine with a 20GB disk and the operating system is only using 3GB of the 20GB, during a VCB export of the Virtual Machine, only 3GB is exported which of course is great. Now if you were to copy 10 GB of data to the same Virtual Machine and then delete that data, then perform another VCB backup… you would find your VCB export of the same machine would now be roughly 13 GB. The reason for this is that operating systems (Both Windows and Linux for that matter) delete the pointer to the data, but the actual data remains on the disk.
Now the disk shrink option here in VMware tools goes and cleans up and after completing, any subsiquant VCB exports will now only export 3GB. Disabling isnt a biggy as its not even something you can schedule so I would then look at using one of the open source scripts out there which acheives the same result.
Disable Options to Connect/Disconnect Devices
Once again, by default any user logged onto the system has the ability to connect and disconnect the following devices. CD ROM, Floppy, NIC
isolation.device.connectable.disable = “true”
isolation.device.edit.disable = “true”
This one is really important if you have virtualized terminal services servers in your Virtual Infrastructure, the last thing you want is any old Tom, Dick, or Harry disconnecting the Virtual Machine from the network. The fact that you can do this without being an administrator of the system is ah…. scary.
Limit Data Flow from the Virtual Machine to the Datastore
As noted in the hardening guide “Virtual Machines can write troubleshooting information to a log file (vmware.log) stored on the VMFS file system. Now there are various ways to cause all kinds of information to flood the log file and potentially start to fill the VMFS file system, but I wont go into that here but I will show the option to disable.
log.rotateSize = “100000”
log.keepOld = “10”
The options above limit the log size to 100000 bytes and limit the number of log files to 10.
Litmit SETINFO Messages
Now if you read through the hardening guide, you’ll come cross a section that covers informational messages, otherwise known as SETINFO messages.
Now my understanding is that currently there is no limitation on the amount of data that can be sent from VMware tools to the host, so you can imagine it wouldn’t be hard to write some code to continuously send huge amounts of data. So lets looks at how to limit this to something more acceptable as per the hardening guide.
tools.setInfo.sizeLimit = “1048576”
Now you can actually totally disable this using the following
isolation.tools.setInfo.disable = “true”
But this stops the Virtual Center client from displaying any information about the Virtual Machine, e.g. IP Address, DNS information. So for a production environment I would recommend setting a limit rather then totally disabling.
There are a few more tricks ill update this post with over the next couple of days, but until then if this is something you’ve found use full then I would recommend taking a look at the VMware hardening guide here.