September 9, 2016

Remove Unnecessary Hardware Devices From Your Virtual Machines

Foundation Topic

Here's a foundation topic, whose rationale fits in the virtual world just as it did in the physical world.

Unnecessary or accessible hardware devices can be used against you by attackers to gain access or compromise information.

Unlike the physical world, where we can just lock hardware away in racks, the virtual world requires you to remove or disable the devices.

Alright, I understand removing unused hardware devices. I don't even remember the last time I mounted a flp image to a floppy drive and the COM/LPT ports and NICs not being used, easy peasy, remove them.

But the device I see getting the most resistance from other engineers is the CD/DVD drives. I can see the need to enforce a policy of sorts as I find mounted ISO's all the time, just left lonely and neglected after an install.

I see three options:

Do nothing and have a script unmount ISO's and remove specific hardware device on a scheduled basis. This would be more reactionary and still leave opportunity for compromise

Disable the CD/DVD when not in use and enable and connect when needed.

Delete the CD/DVD when not in use and add it when needed.

The majority of the time I'll mount an ISO using the Guest OS, so there will little change to my processes.

It would seem that the options of disabling and deleting sound about the same amount of work/time.

What do you do in the real world?


Scott Bollinger / @kfalconspb

Best Practice

The removal of unnecessary hardware devices from a virtual machine has been a VMware best practice that has existed since at least version 4. [1,2,3]

This includes devices such as Floppy disks, CD/DVD drives, COM/LPT ports, network cards, and storage cards.

The reasoning in the VMware Documetation sites that any enabled or connected devices as avenues of attack and for security reasons you should remove unnecessary hardware devices or disable them when not being used.

However, the VMware vSphere Design book[5] by Forbes Guthrie[6] and Scott Lowe[7] also gives a real world physical reason that

"Rationale: Each virtual hardware device assigned to a VM requires interrupts on the physical CPU; reducing the number of unnecessary interrupts reduces the overhead associated with a VM."[4]


  1. Virtual Machine Security Best Practices -
  2. Securing Virtual Machines -
  3. Security Best Practices and Scenarios -
  4. VMware vSphere Design by Forbes Guthrie and Scott Lowe -
  5. VMware vSphere Design by Forbes Guthrie and Scott Lowe

Forbes Guthrie @forbesguthrie

Scott Lowe @scott_lowe