1. The document discusses virtual machine security enhancements that can be applied through security profile customization. It lists 27 configuration parameters that enhance isolation, prevent unauthorized device access and modifications, limit VM resources and operations, and disable certain exposed features to strengthen security.
2. It also discusses ESXi host security enhancements, listing two direct commands to disable the host welcome login webpage and managed object browser to prevent all web-based access and strengthen isolation.
3. The enhanced security configuration parameters and direct commands listed ensure that potential security vulnerabilities from resource exploitation are not possible.
1 of 3
Download to read offline
More Related Content
vSphere 5.x BAsic Security Hardening
1. 1.1.1 vSphere Security Virtual Machine Security Enhancements {To be applied}
Options Visual Discussion
Security
Profile
Custom VM Security measures: VMX File Edits(Directcommands)
Prevent virtual disk shrinking. 1. isolation.tools.diskWiper.disable=TRUE
2. isolation.tools.diskShrink.disable=TRUE
Ensure that unauthorized
devices are not connected.
3. Floppydrives:floppyX.present
4. Serial ports:serialX.present
5. Parallel ports:parallelX.present
6. USB controller:usb.present
7. CD-ROM: ideX:Y.present
Prevent unauthorized removal,
connection and modification of
devices.
8. isolation.device.connectable.disable=TRUE
9. isolation.device.edit.disable=TRUE
Disable VM-to-VM
communication through VMCI.
10.vmci0.unrestricted=FALSE
Limit VM log file size and
number.
11.log.rotateSize=1000000
12.log.keepOld=10
Limit informational messages
from the VM to the VMX file.
13.tools.setInfo.sizeLimit=1048576
Avoid using independent non-
persistent disks.
1. Not present
2. Not setto independentnonpersistent
Disable certain unexposed
features: point 21. Is optional
14.isolation.tools.unity.push.update.disable=
TRUE
15.isolation.tools.ghi.launchmenu.change =
TRUE
16.isolation.tools.memSchedFakeSampleStats.di
sable = TRUE
17.isolation.tools.getCreds.disable =TRUE
18.isolation.tools.ghi.autologon.disable=TRUE
19.isolation.bios.bbs.disable=TRUE
20.isolation.tools.hgfsserverset.disable=TRUE
21.isolation.tools.ghi.autologon.disable=TRUE
Disable remote operations
within the guest. (If enabled,
the system administrator can
execute scripts or programs
that use
the VIX API to execute tasks
within the guest OS.)
22.guest.command.enabled=FALSE
For highest security, only one
remote console session at a
time should be allowed
23.remotedisplay.maxconnections=1
Explicitly disable copy
operations
24.isolation.tools.copy.disable=TRUE
Explicitly disable paste
operations
25.isolation.tools.paste.disable=TRUE
Disable VM Monitor Control 26.isolation.monitor.control.disable=TRUE
These enhanced
configuration
parameters
ensure that
potential resource
variables are not
exploited into
security
vulnerabilities.
2. Options Visual Discussion
Do not send host performance
information to guests.
27.tools.guestlib.enableHostInfo=FALSE
Global Windows Time sync
recommendation
28.tools.syncTime="True"
1.1.1 vSphere Security ESXi Host Security Enhancements {To be Applied}
Options Visual Discussion
Security
Profile
Custom Host
Security
measures:
Directcommand
To disable Host
Welcome login
web-page: #vim-cmdproxysvc/remove_service"/""httpsWithRedirect"
Disable
Managed Object
Browser: vim-cmdproxysvc/remove_service "/mob""httpsWithRedirect"
This advances
system change
will prevent all
Web-bases
access
including via the
SDK