Hardening Machines
- Installing Antivirus Software
Stagger the schedule for virus scans, particularly in deployments with a large number of virtual machines. Performance of systems in your environment will degrade significantly if you scan all virtual machines simultaneously.
Because software firewalls and antivirus software can be virtualization-intensive, you can balance the need for these two security measures against virtual machine performance, especially if you are confident that your virtual machines are in a fully trusted environment.
- Limiting Exposure of Sensitive Data Copied to the Clipboard
Go to the VM > Edit Settings > Options > Advanced > General > Configuration Parameters > Add Row > Enter the below values
- Removing Unnecessary Hardware Devices
Attackers can use this capability to breach virtual machine security in several ways. For example, an attacker with access to a virtual machine can connect a disconnected CD-ROM drive and access sensitive information on the media left in the drive, or disconnect a network adapter to isolate the virtual machine from its network, resulting in a denial of service.
- Prevent a Virtual Machine User or Process from Disconnecting Devices
If you do not want to permanently remove a device, you can prevent a virtual machine user or process from connecting or disconnecting the device from within the guest operating system.
- Limiting Guest Operating System Writes to Host Memory
The guest operating system processes send informational messages to the host through VMware Tools. If the amount of data the host stored as a result of these messages was unlimited, an unrestricted data flow would provide an opportunity for an attacker to stage a denial-of-service (DoS) attack.
- Modify Guest Operating System Variable Memory Limit
You can increase the guest operating system variable memory limit if large amounts of custom information are being stored in the configuration file.
- Prevent the Guest Operating System Processes from Sending Configuration Messages to the Host
You can prevent guests from writing any name-value pairs to the configuration file. This is appropriate when guest operating systems must be prevented from modifying configuration settings.
- Configuring Logging Levels for the Guest Operating System
Normally, a new log file is created each time you reboot a host, so the file can grow to be quite large. You can ensure new log file creation happens more frequently by limiting the maximum size of the log files. VMware recommends saving 10 log files, each one limited to 100KB. These values are large enough to capture sufficient information to debug most problems that might occur.
- Limit Log File Numbers and Sizes
To prevent virtual machine users and processes from flooding the log file, which can lead to denial of service, you can limit the number and size of the log files ESXi generates.
- Securing Fault Tolerance Logging Traffic
This logging traffic between the Primary and Secondary VMs is unencrypted and contains guest network and storage I/O data, as well as the memory contents of the guest operating system. This traffic can include sensitive data such as passwords in plaintext. To avoid such data being divulged, ensure that this network is secured, especially to avoid “man-in-the-middle” attacks. For example, use a private network for FT logging traffic.
VMware Hardening Guides
Leave a Reply