Moving towards secure by default Virtual Machines (pt 3)

Created by JM Lopez
Apr 12, 2023
2 min read

TL;DR; Setting the following VMware Tools options are recommended by the VMware security guide along with running an updated VMware Tools version and Virtual Hardware version greater than 13:

  • AppInfo:

    • Windows: VMwareToolboxCmd.exe config set appinfo disabled true

    • Linux: sudo vmware-toolbox-cmd config set appinfo disabled true

  • Disable Guest OS Customization:

    • Windows: VMwareToolboxCmd.exe config set deployPkg enable-customization false

    • Linux: sudo vmware-toolbox-cmd config set deployPkg enable-customization false

Based on the vSphere Security Guide, Virtual hardware 13 vmx-13 or newer is highly recommended. It enables CPU features which reduce the performance impact of the mitigations for various CPU vulnerabilities. Please, follow this document if you plan to bring your VM to either version 13 or the latest supported versionhttps://eis-vss.atlassian.net/wiki/spaces/VSSPublic/pages/726630415 .

Check quickly your virtual hardware version with the following cli command: vss-cli --columns moref,folder.name,name,version compute vm ls or create an inventory report https://eis-vss.atlassian.net/wiki/spaces/VSSPublic/pages/729874807 .

The Security Guide also includes certain recommendations for VMware Tools and Open VM Tools which are not default, along with running an updated https://eis-vss.atlassian.net/wiki/spaces/VSSPublic/pages/700711415 version. The following options are entirely optional but recommended to apply:

Setting

Description

Mitigation

Setting

Description

Mitigation

appinfo

Appinfo is a powerful method to do application discovery through VMware Tools or Open VM Tools. It is a useful method to retrieve information about running processes.

This also means an attacker who doesn’t have access to a VM may have an easier time determining which exploits to use to gain access, should they gain access to vSphere.

  • Windows: VMwareToolboxCmd.exe config set appinfo disabled true

  • Linux: sudo vmware-toolbox-cmd config set appinfo disabled true

enable-customization

The ITS Private Cloud provides an easier interface for customizing VM Guest OS after deployment. However, based on these security recommendations, the ability to recustomize the OS must be disabled. This is to prevent an adversary to gain access to the data by cloning or recustomizing the VM

if you change your mind you can always revert it.

  • Windows: VMwareToolboxCmd.exe config set deployPkg enable-customization false

  • Linux: sudo vmware-toolbox-cmd config set deployPkg enable-customization false

 

University of Toronto - Since 1827