Moving towards secure by default Virtual Machines (pt 2)

Created by JM Lopez
Last updated: Mar 31, 2023
2 min read

TL;DR: New virtual machines will have the following pre-defined settings to enhance security:

  • RemoteDisplay.maxConnections=2

  • tools.guest.desktop.autolock=TRUE

  • mks.enable3d=FALSE

  • isolation.device.edit.disable=TRUE

The VMware vSphere 7 Security Configuration Guide has been carefully reviewed by the ITS private Cloud team and due to prioritization and positive impact on the virtual machine hardening level, we have decided that new virtual machines will have the following pre-defined settings to enhance security as of March, 2023.

Setting

Description

Implications

Status

Setting

Description

Implications

Status

RemoteDisplay.maxConnections=2

Limits the number of remote console connections to the virtual machine to reduce the risk of unauthorized access to the virtual machine and denial of service attacks.

Users launching remote consoles either web or vmrc, would get the following message when more than 2 sessions are open:

You have reached the maximum number of connected consoles: 2. Please contact your administrator.

PROD

tools.guest.desktop.autolock=TRUE

Automatically locks the virtual machine's desktop after a specified period of inactivity to prevent unauthorized users from accessing the virtual machine.

Users have to sign in again after being inactive through the console.

PROD

mks.enable3d=FALSE

Attackers can use an unused display feature as a vector for inserting malicious code into your environment.

3D acceleration is disabled by default. If your application needs this feature, please reach out to vss@eis.utoronto.ca

PROD

isolation.device.edit.disable=TRUE

Prevents users from adding or modifying virtual hardware devices. Virtual hardware devices can be used to attack the virtual machine host or other virtual machines on the same host.

Users may be unable to control media from within the OS. For instance, to unmount a CD/DVD iso, please use the Portal or CLI:

vss-cli compute vm set <vm> \ cd up 1 --backing=client

PROD

Existing virtual machines (powered on and templates) will be gradually applied the settings when a request is submitted through the vss-cli or ITS Private Cloud Portal.

We will continue to monitor any changes in the VMware vSphere 7 Security Configuration Guide and update this post as required.

What’s next?

In Part 3 of this series, we will provide VMware Tools recommended settings to harden security at Guest OS level.

University of Toronto - Since 1827