Protect against MAC address spoofing

By default this feature is turned on.  If left as the default of accept then a potential attacker could spoof MAC addresses and potentially appear as a trusted host.

Remediation

• Login to VirtualCenter or your ESX host using the VI Client
• Select the configuration tab for your ESX host
• Select networking from the hardware pane
• Select the properties for the vswitch you wish to change
• Select Edit from the ports tab
• Select the security tab
• Change the “MAC address spoofing setting to Reject”

Remove Extended Stored Procedures from your Database

When using MS SQL as the backend Database for your Virtual Center you should make sure that the following extended stored procedures have been removed or switched off.

You should do this as procedures like xp_cmdshell allow full access to the underlying operating system.

Entities:

xp_available media
xp_cmdshell
xp_dirtree
xp_dnsinfo
xp_enumdsn
xp_enumerrorlogs
xp_enumgroups
xp_eventlog
xp_fixeddrives
xp_getfiledetails
xp_getnetname
xp_logevent
xp_loginconfig
xp_msver
xp_readerrorlog
xp_servicecontrol
xp_sprintf
xp_sscanf
xp_subdirs

Remediation: Remove

Risk Level: High

Sooner or later even the graphic cards had to be virtualised.

To achieve this task three components are needed: a chipset providing some sort of I/O virtualisation technologies, a virtualisation platform that can support it, and a display card that can handle the requests to access its GPU coming from different virtual machines at the same time.
The first three companies that made this possible are Intel, which provides the I/O virtualisation technology (VT-d), Parallels, which provides the platform (Workstation) and NVIDIA which provides the GPU (Quadro with SLI Multi-OS).
Looking at this from a virtual desktop perspective the day is fast approaching where the percived limitations of using highly demanding applications will soon be over. There are many vendors now that are reducing the gap, and the benefits to businesses once this occurs will be massive. It is possible today to run many 2D and 3D applications with in a virtual environment on specific hardware, but once virtualisation companies such as VMware can achieve this through software then we will truely be there.
With VMware’s next release of its View product many 2D applications will be supported to run in a virtual environment either using TCX from Wyse a software verison of Teradici PC-over-IP or the RGS protocol from HP.
As you can see things are really starting to change for the virtual desktop and with the economy as it is, VDI could now start to offer the savings it always promised.

Disable Copy and Paste between Guest OS and Remote Console

Allowing data to be copied between your Guest VM’s and your Host OS could create a potential security risk in allowing sensistive data to leak from VM’s and be taken outside of your organisation.  If you are creating Virtual Machine infrastructures in DMZ networks then this is particularly relevant.

To enable this feature login to your ESX Host or VC and select the particular VM you wish to change then complete the following steps: (you may need to power down the VM when making this change)

1. Login to the VC or ESX Host using the VI client
2. Select the specific VM you want to change the setting for
3. Edit the Machine settings
4. Select options then advanced
5. Then select general and then click the button configuration parameters
6. Enter the entity information and value as specified below:
isolation.tools.copy.disable  TRUE
isolation.tools.paste.disable  TRUE
isolation.tools.setGUIOptions.enable  FALSE

Greetings from VMworld Europe!

The second VMworld in Cannes france is well underway, there are lots of new and exciting things from VMware again such as vShield Zones which is a new technology that allows you to secure your environment by monitoring and enforcing network traffic policies.  For more info go check it out at the vshield page.