The MOB as it is known is used mainly by developers or for debugging. It has direct access to the VMkernel so as well as allowing view access it allows changes to be made. It can be access over port 443 (HTTPS) and requires authentication using the ROOT account password. The MOB if left accessible is a dangerous interface in the hands of an attacker. Therefore it is recommended you disable it or restrict access to it through access control methods.

Remediation

1. Logon to the ESX/ESXi console using SSH or directly.
2. Change directories to /etc/vmware/hostd
3. Edit the following file proxy.xml but before doing so make a copy
4. Find the line "<pipeName>/var/run/vmware/proxy-mob</pipeName>"
5. Comment out or remove the entire section between "<e id=" and "</e>"
6. Then make sure that all "<e id=" are in sequence by renumbering them accordingly
7. Save the file

IMPORTANT: If you mess the file up then make sure you have a backup as you will effect the authentication process and access to the Host.

Forged Transmits Protection

This rule checks the layer 2 security policy of the vswitch to protect against forged transmits. If you set this option to Reject, compares the source MAC address being transmitted by the operating system with the effective MAC address for its adapter to see if they match. If the addresses do not match, ESX/ESXi drops the packet

Remediation:

1. Login to the VC or ESX Host using the VI client
2. Select the configuration tab for your ESX host
3. Select networking from the hardware pane
4. Select the properties for the vswitch you wish to change
5. Select Edit from the ports tab
6. Select the security tab
7. Change the ‘Forged Transmit setting to Reject’

You should ensure that a normal user or process cannot make modifications to virtual disk operations. Particularly the process a virtual disk invokes to reclaim disk space. If this method is invoked repeatedly the disk could become unavailable and thus cause a denial of service on the guest. It is recommended that this feature be turned off.

Remediation Steps

1. Login to VirtualCenter or your ESX Host using the VI client
2. Power off the VM to be changed
3. Select the Virtual Machine that you wish to change
4. Select edit settings
5. Then select the options tab
6. Select Advanced, General and then select the “configuration parameters” button.
7. Add a row if necessary and then enter in the name field: “isolation.tools.diskWiper.disable”
8. In the value field enter the value “true”
9. Add another row and enter in the name field “isolation.tools.diskShrink.disable”
10. Add in the value field “true”

By default this feature is turned on.  If left as the default of accept then a potential attacker could spoof MAC addresses and potentially appear as a trusted host.

Remediation

• Login to VirtualCenter or your ESX host using the VI Client
• Select the configuration tab for your ESX host
• Select networking from the hardware pane
• Select the properties for the vswitch you wish to change
• Select Edit from the ports tab
• Select the security tab
• Change the “MAC address spoofing setting to Reject”

This is potential security risk as an attacker could compromise the security of the host by inserting a usb device in the host and uploading malicious data.

Remediation

• Login to the service console via ssh
• Edit the file /etc/modules.conf
• Comment out the line alias usb-controller
• Save the file

Make sure that each of the following directories is mounted on  a separate partition:

/home

/var

/tmp

/log

Remediation

1. Log into the service console via ssh
2. Run the command “df -k” this will show the current partition structure.  You should have separate entries for each of the above directories.
3. If you do not have separate directories then you will need to create new mount points for each of the directories and create new partitions on the disk.
4. If you do not have enough disk space then you will need to make a decision on how practical it is for you to make the necessary changes in order to comply with this rule.
5. Alternative approaches to not doing this would be to create a cronjob that monitors disk space and archives off log files and or deletes unwanted files to avoid the situation of the root partition filling up.

NOTE: Altering disk partitions is a skilled job do not attempt this if you are unsure of what you are doing and always make a backup first.

“Datastore Partitioning,” an appendix of the Installation

and Upgrade Guide, covers disk partitions in more detail.

When using MS SQL as the backend Database for your Virtual Center you should make sure that the following extended stored procedures have been removed or switched off.

You should do this as procedures like xp_cmdshell allow full access to the underlying operating system.

Entities:

xp_available media
xp_cmdshell
xp_dirtree
xp_dnsinfo
xp_enumdsn
xp_enumerrorlogs
xp_enumgroups
xp_eventlog
xp_fixeddrives
xp_getfiledetails
xp_getnetname
xp_logevent
xp_loginconfig
xp_msver
xp_readerrorlog
xp_servicecontrol
xp_sprintf
xp_sscanf
xp_subdirs

Remediation: Remove

Risk Level: High

Promiscuous mode is the equivalent of setting up a span or mirror port on a physical switch and could have security as well as performance implications if turned on for a vswitch. Unless it is required it is recommended that this feature be turned off.

To disable this feature you need to perform the following steps:

1. Login to VirtualCenter or your ESX host using the VI Client
2. Select the configuration tab for your ESX host
3. Select networking from the hardware pane
4. Select the properties for the vswitch you wish to change
5. Select Edit from the ports tab
6. Select the security tab
7. Change the setting for promiscuous mode to reject.

Direct root login via SSH should be disabled, the reason for doing so is to prevent anyone from being able to brute force the login credentials for root via ssh and therefore compromise the security of the host.  By disabling root login any attacker would now have to guess both the user account name and password which obviously makes it more difficult for them to get onto the host.  If you combine password complexity with your accounts you should have a fairly robust level of security in place for your users.

To enable this feature you need to perform the following steps:

1. Login to the host via ssh or direct console access

2. Change directories to /etc/ssh/

3. Edit the file sshd_config using an editor such as ‘vi’

4. Change the line “PermitRootLogin” to “PermitRootLogin no”

5. Restart the sshd daemon.

Allowing data to be copied between your Guest VM’s and your Host OS could create a potential security risk in allowing sensistive data to leak from VM’s and be taken outside of your organisation.  If you are creating Virtual Machine infrastructures in DMZ networks then this is particularly relevant.

To enable this feature login to your ESX Host or VC and select the particular VM you wish to change then complete the following steps: (you may need to power down the VM when making this change)

1. Login to the VC or ESX Host using the VI client
2. Select the specific VM you want to change the setting for
3. Edit the Machine settings
4. Select options then advanced
5. Then select general and then click the button configuration parameters
6. Enter the entity information and value as specified below:
isolation.tools.copy.disable  TRUE
isolation.tools.paste.disable  TRUE
isolation.tools.setGUIOptions.enable  FALSE