Moving towards secure by default Virtual Machines (pt 3)
TL;DR; Setting the following VMware Tools options are recommended by the VMware security guide along with running an updated VMware Tools version and Virtual Hardware version greater than 13:
AppInfo:
Windows:
VMwareToolboxCmd.exe config set appinfo disabled trueLinux:
sudo vmware-toolbox-cmd config set appinfo disabled true
Disable Guest OS Customization:
Windows:
VMwareToolboxCmd.exe config set deployPkg enable-customization falseLinux:
sudo vmware-toolbox-cmd config set deployPkg enable-customization false
Based on the vSphere Security Guide, Virtual hardware 13 vmx-13 or newer is highly recommended. It enables CPU features which reduce the performance impact of the mitigations for various CPU vulnerabilities. Please, follow this document if you plan to bring your VM to either version 13 or the latest supported versionHow-to Upgrade a virtual machine to the latest supported hardware version .
Check quickly your virtual hardware version with the following cli command: vss-cli --columns moref,folder.name,name,version compute vm ls or create an inventory report How-to create a VM Inventory Report .
The Security Guide also includes certain recommendations for VMware Tools and Open VM Tools which are not default, along with running an updated VMware Tools version. The following options are entirely optional but recommended to apply:
Setting | Description | Mitigation |
|---|---|---|
|
This also means an attacker who doesn’t have access to a VM may have an easier time determining which exploits to use to gain access, should they gain access to vSphere. |
|
| The ITS Private Cloud provides an easier interface for customizing VM Guest OS after deployment. However, based on these security recommendations, the ability to recustomize the OS must be disabled. This is to prevent an adversary to gain access to the data by cloning or recustomizing the VM if you change your mind you can always revert it. |
|
Related content
University of Toronto - Since 1827