Avoid denial of service caused by virtual disk modification operations

You should ensure that a normal user or process cannot make modifications to virtual disk operations. Particularly the process a virtual disk invokes to reclaim disk space. If this method is invoked repeatedly the disk could become unavailable and thus cause a denial of service on the guest. It is recommended that this feature be turned off.

Remediation Steps

1. Login to VirtualCenter or your ESX Host using the VI client
2. Power off the VM to be changed
3. Select the Virtual Machine that you wish to change
4. Select edit settings
5. Then select the options tab
6. Select Advanced, General and then select the “configuration parameters” button.
7. Add a row if necessary and then enter in the name field: “isolation.tools.diskWiper.disable”
8. In the value field enter the value “true”
9. Add another row and enter in the name field “isolation.tools.diskShrink.disable”
10. Add in the value field “true”

Do not use promiscuous mode on network interfaces

Promiscuous mode is the equivalent of setting up a span or mirror port on a physical switch and could have security as well as performance implications if turned on for a vswitch. Unless it is required it is recommended that this feature be turned off.

To disable this feature you need to perform the following steps:

1. Login to VirtualCenter or your ESX host using the VI Client
2. Select the configuration tab for your ESX host
3. Select networking from the hardware pane
4. Select the properties for the vswitch you wish to change
5. Select Edit from the ports tab
6. Select the security tab
7. Change the setting for promiscuous mode to reject.

Disable Copy and Paste between Guest OS and Remote Console

Allowing data to be copied between your Guest VM’s and your Host OS could create a potential security risk in allowing sensistive data to leak from VM’s and be taken outside of your organisation.  If you are creating Virtual Machine infrastructures in DMZ networks then this is particularly relevant.

To enable this feature login to your ESX Host or VC and select the particular VM you wish to change then complete the following steps: (you may need to power down the VM when making this change)

1. Login to the VC or ESX Host using the VI client
2. Select the specific VM you want to change the setting for
3. Edit the Machine settings
4. Select options then advanced
5. Then select general and then click the button configuration parameters
6. Enter the entity information and value as specified below:
isolation.tools.copy.disable  TRUE
isolation.tools.paste.disable  TRUE
isolation.tools.setGUIOptions.enable  FALSE

1. Segregation of Duties – Ensure that you assign the appropriate security roles and permissions for access to your VC, ESX and VM Guests
2. Audit, Secure and lock down the VC Database
3. Disable direct ‘ROOT’ logins for each of your ESX Servers
4. Ensure that the ESX Firewall is enabled and configured correctly, disable ports that are not required.
5. Ensure you have adequate logging enabled and enable remote logging to a syslog server.
6. Assess the security of each VM based on function and network location.  eg. eMail, DMZ.  Apply security measures appropriate for the zone they are in.
7. Make sure that the ESX host and all VM Guests are patched to the latest levels.
8. Apply the same basic security controls to your VM’s as you would in the physical world, eg. AV
9. Segment network access within your vSwitches and apply all security measures like disabling promiscuous mode.
10. Regularly audit and assess the security configuration of your virtual environment.