Locking down VMware tools

Posted: July 11, 2009 in Tips and Tricks, VMware

If you look a couple of posts back you ll see that Ive been doing some hardening of the ESX service console, this week I thought id post about some of the changes Ive made to A. To my production virtual machines already built, and B. To the templates to ensure any machines deployed from these templates will automatically have the hardened options applied.

Personally I think its disappointing VMware tools is configured like this by default, I would much prefer every option be disabled out of the box and if customers want to use one of the features, then let them enable it.

Just before I get into it, I thought it would be worth mentioning you can apply these directives by pasting directly into the Virtual Machines .VMX file or by configuring the advanced options for each virtual machine  using the VC client. In both cases the virtual machine needs to be powered completely off and back on again for changes to apply.

Now If you log onto a Virtual Machine with VMware tools installed as a standard user you ll notice that you have the ability to perform any of the various functions built into VMware tools. Below I’m going to go over a few things Ive done and give a brief description of why its a good idea.

Disable Copy and Paste operations

By default VMware tools allows  copy and paste operation between the virtual machine operating system and the computer the virtual center client is running. The following changes are to prevent sensitive data from being accidentally left in the clipboard and a non privileged user from being able to paste this information from another vc session.

isolation.tools.copy.disable = “true”
isolation.tools.paste.disable = “true”

Disable Disk Shrink

Ok, now this one in the hardening guide is listed as “Avoid Denial of Service caused by Virtual Disk Operations”, so its probably one I would class as fairly important, denial of service is never a good thing.

isolation.tools.diskWiper.disable = “true”
isolation.tools.diskShrink.disable = “true

I did want to mention here though that while most people I suspect will never miss this feature, I do actually use this every now and then on our file servers and here’s why. If you have a Virtual Machine with a 20GB disk and the operating system is only using 3GB of the 20GB, during a VCB export of the Virtual Machine, only 3GB is exported which of course is great. Now if you were to copy 10 GB of data to the same Virtual Machine and then delete that data, then perform another VCB backup… you would find your VCB export of the same machine would now be roughly 13 GB. The reason for this is that operating systems (Both Windows and Linux for that matter) delete the pointer to the data, but the actual data remains on the disk.

Now the disk shrink option here in VMware tools goes and cleans up and after completing, any subsiquant VCB exports will now only export 3GB. Disabling isnt a biggy as its not even something you can schedule so I would then look at using one of the open source scripts out there which acheives the same result.

Disable Options to Connect/Disconnect Devices

Once again, by default any user logged onto the system has the ability to connect and disconnect the following devices. CD ROM, Floppy, NIC

isolation.device.connectable.disable = “true”
isolation.device.edit.disable = “true”

This one is really important if you have virtualized terminal services  servers in your Virtual Infrastructure, the last thing you want is any old Tom, Dick, or Harry disconnecting the Virtual Machine from the network. The fact that you can do this without being an administrator of the system is ah…. scary.

Limit Data Flow from the Virtual Machine to the Datastore

As noted in the hardening guide “Virtual  Machines can write troubleshooting information to a log file (vmware.log) stored on the VMFS file system. Now there are various ways to cause all kinds of information to flood the log file and potentially start to fill the VMFS file system, but I wont go into that here but I will show the option to disable.

log.rotateSize = “100000”
log.keepOld = “10”

The options above limit the log size to 100000 bytes and limit the number of log files to 10.

 Litmit SETINFO Messages

Now if you read through the hardening guide, you’ll come cross a section that covers informational messages, otherwise known as SETINFO messages.

Now my understanding is that currently there is no limitation on the amount of data that can be sent from VMware tools to the host, so you can imagine it wouldn’t be hard to write some code to continuously send huge amounts of data. So lets looks at how to limit this to something more acceptable as per the hardening guide.

tools.setInfo.sizeLimit = “1048576”

Now you can actually totally disable this using the following

isolation.tools.setInfo.disable = “true”

But this stops the Virtual Center client from displaying any information about the Virtual Machine, e.g. IP Address, DNS information. So for a production environment I would recommend setting a limit rather then totally disabling.

There are a few more tricks ill update this post with over the next couple of days, but until then if this is something you’ve found use full then I would recommend taking a look at the VMware hardening guide here.


  1. […] If you’re interested in ESX security, I’d invite you to check out his latest article. […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s