the.red Posted October 9, 2010 Report Posted October 9, 2010 For organizations using VMware virtualization technologies, there are likely a number of different virtual machines in the environment, representing a number of platforms ranging from Windows desktops and servers to Linux and UNIX systems as well. Each of these will have an associated file with the VMX extension that contains the VM’s specific configuration details – hardware specifications, software information, and a number of settings that can definitively impact security and compliance for the environment hosting that virtual machine. Unfortunately, documentation for these files is sorely lacking, and auditors are often left to their own devices to determine what VM settings are enabled and what their impacts could be. Here we’ll take a look at settings that impact security, and how they should ideally be configured: Goal: Disabling Copy & Paste operations between the VMware host and the VM guest VMX Settings: isolation.tools.copy.disable = “TRUE”-Disables copy functionality isolation.tools.paste.disable = “TRUE”-Disables paste functionality isolation.tools.setGUIOptions.enable = “FALSE”-Disables any GUI functionality for these options Goal: Disable “Drag and Drop” functionality between VMware host and guests VMX Setting: isolation.tools.dnd.disable = “TRUE” -Disables Drag and Drop functionality Goal: Disable shared folders between the VMware host and any VMs (mostly applicable on Workstation versions) VMX Setting: isolation.tools.hgfs.disable = “TRUE” -Disables all shared folder functionality Goal: Ensure proper logging is enabled for the VM, and that ESX-VM logging interactions are set accordingly VMX Settings: log.rotateSize 100000 -This value should be set to a number in Kbytes (this example is 100k). As these logs can become very large, a policy for these is important to maintain. log.keepOld 10 -This value determines the number of log files maintained in a rotation schedule (this example is 10 distinct logs kept at a time) isolation.tools.log.disable = “FALSE”-This setting ensure that logging is enabled. This setting is the default, and so the configuration item may not be present, which is fine. logging = “TRUE” -This enables VM logging for the ESX host, monitoring the VMX process that manages VM interaction log.fileName = “logs/vm.log” -Sets the log file name and path. Ensure this matches policy and process. Goal: Disable Unauthorized hardware and devices within a VM VMX Settings: floppy<x>.present = “FALSE”serial<x>.present = “FALSE”parallel<x>.present = “FALSE” All of these settings disable various device types, replacing <x> with a numeral starting at 0 (depending on the number of devices in a system) Goal: Prevent VM users from connecting and removing devices VMX Settings: isolation.tools.connectable.disable = “TRUE” -This setting disables a user’s ability to connect removable devices, such as USB drives. <devicename>.allowGuestConnectionControl = “FALSE” -This setting, on a per -device basis, disables Guest user control of a specific device. This is not a complete list of VMX settings, by any means, and there are many more that could potentially be configured within your environment. This is a great start in terms of “best practices” security settings, however, and can help you begin to develop a baseline for ongoing monitoring and measurement.IT Audit: 6 VMWare Settings Every IT Auditor Should Know About Quote