Locking down VMware tools

Disable Copy and Paste operations

By default VMware tools allows  copy and paste operation between the virtual machine operating system and the computer the virtual center client is running. The following changes are to prevent sensitive data from being accidentally left in the clipboard and a non privileged user from being able to paste this information from another vc session.

isolation.tools.copy.disable = “true”
isolation.tools.paste.disable = “true”

Disable Disk Shrink

This one in the hardening guide is listed as “Avoid Denial of Service caused by Virtual Disk Operations”, so its probably one I would class as fairly important, denial of service is never a good thing.

isolation.tools.diskWiper.disable = “true”
isolation.tools.diskShrink.disable = “true”

 If you have a Virtual Machine with a 20GB disk and the operating system is only using 3GB of the 20GB, during a VCB export of the Virtual Machine, only 3GB is exported which of course is great. Now if you were to copy 10 GB of data to the same Virtual Machine and then delete that data, then perform another VCB backup… you would find your VCB export of the same machine would now be roughly 13 GB. The reason for this is that operating systems (Both Windows and Linux for that matter) delete the pointer to the data, but the actual data remains on the disk.

Now the disk shrink option here in VMware tools goes and cleans up and after completing, any subsiquant VCB exports will now only export 3GB. Disabling isnt a biggy as its not even something you can schedule so I would then look at using one of the open source scripts out there which acheives the same result.

Disable Options to Connect/Disconnect Devices

Once again, by default any user logged onto the system has the ability to connect and disconnect the following devices. CD ROM, Floppy, NIC

isolation.device.connectable.disable = “true”
isolation.device.edit.disable = “true”

This one is really important if you have virtualized terminal services  servers in your Virtual Infrastructure, the last thing you want is any non admin person disconnecting the Virtual Machine from the network.

Limit Data Flow from the Virtual Machine to the Datastore

As noted in the hardening guide “Virtual  Machines can write troubleshooting information to a log file (vmware.log) stored on the VMFS file system. Now there are various ways to cause all kinds of information to flood the log file and potentially start to fill the VMFS file system, but I wont go into that here but I will show the option to disable.

log.rotateSize = “100000”
log.keepOld = “10”

The options above limit the log size to 100000 bytes and limit the number of log files to 10.

 Litmit SETINFO Messages

Now if you read through the hardening guide, you’ll come cross a section that covers informational messages, otherwise known as SETINFO messages.

Now my understanding is that currently there is no limitation on the amount of data that can be sent from VMware tools to the host, so you can imagine it wouldn’t be hard to write some code to continuously send huge amounts of data. So lets looks at how to limit this to something more acceptable as per the hardening guide.

tools.setInfo.sizeLimit = “1048576”

Now you can actually totally disable this using the following

isolation.tools.setInfo.disable = “true”

But this stops the Virtual Center client from displaying any information about the Virtual Machine, e.g. IP Address, DNS information. So for a production environment I would recommend setting a limit rather then totally disabling.