|||
Virtualization General Security VMware Network Development Citrix RSAC Tech Notes Wireshark Training NetScaler ESXi Ubuntu Microsoft lab Resources PowerShell WCNA macOS Workstation mas Videos mas-cli Veeam Amazon VMworld CCP-N AWS CCP vSphere appstore lab rat Hyper-V Products brew mas Python cli DFIR 4n6 Class CCSP VeeamOn brew vExpert Virtualiztion Analysis BCDR Sessions Blogs Podcasts Windows Kali VirtualMachine Twitter LastBoot VMDK HCP1833 8P8C T568A vSwitch ManagmentStudio @traversymedia @mikeroySoft MASM USB Install Video DC xrdp PatchCable Disclaimer E1000 forest ProGit Tools UpdateCommands TTS vCenter SQL MSSQL ScanHBAs Features Netscalers HTML Setup Licensing Win10 About Type2 DomainController ChangePasswords Review Remote Desktop bSidesSF CableTermination LasVegas Hypervisor Error3278 Editions PowerCLI Courses VCA SoftwareUpates Type1 PriorReboot Synouser OpenSSH CiscoLive RJ45 Licenses Analyst ChangeManagement Details Tag Synergy VCA6-DCV WinASM Entitlements crash course ASM BrakeingDown Intel Cisco NUC Assembly vMotion BootTime NTP KnowledgeBase ChangeControl Ghost Session Videos eBook Slack fileio Git bundle iOS App Passwd ConvertDisk ActiveDirectory KB ReadingList markdown aio update bSides UpdateServices RDP backup Sniffer Nested T568B Windows10 softwareupdate Packet VCSA BlogPost IT TechNotes WSUS Mute NAT CNS301 macchanger chromium VPX TimeProtocol Install Media Free Synology ForensicLunch Book VM Exclusive DiskConverstion blot.im ITIL Unmounting Linux VMXnet3 latency md ssh Text2Voice CommandCenter hosts Protocol Networks Migrating VHDX Udemy change mac Blogger Sandbox
Archives Search Feed About Disclaimer Resources
Sep 9, 2016 Virtualization, VMware

0046-remove_unnecessary_hardware_from_vms

Foundation Topic

Here’s a foundation topic, whose rationale fits in the virtual world just as it did in the physical world.

Unnecessary or accessible hardware devices can be used against you by attackers to gain access or compromise information. Unlike the physical world, where we can just lock hardware away in racks, the virtual world requires you to remove or disable the devices.

Alright, I understand removing unused hardware devices. I don’t even remember the last time I mounted a flp image to a floppy drive and the COM/LPT ports and NICs not being used, easy peasy, remove them.

But the device I see getting the most resistance from other engineers is the CD/DVD drives. I can see the need to enforce a policy of sorts as I find mounted ISOs all the time, just left lonely and neglected after an install.

I see three options:

Do nothing and have a script unmount ISOs and remove specific hardware device on a scheduled basis. This would be more reactionary and still leave opportunity for compromise

Disable the CD/DVD when not in use and enable and connect when needed.

Delete the CD/DVD when not in use and add it when needed. The majority of the time I’ll mount an ISO using the Guest OS, so there will little change to my processes.

It would seem that the options of disabling and deleting sound about the same amount of work/time.

What do you do in the real world?

Best Practice

The removal of unnecessary hardware devices from a virtual machine has been a VMware best practice that has existed since at least version 4. [1,2,3]

This includes devices such as Floppy disks, CD/DVD drives, COM/LPT ports, network cards, and storage cards.

The reasoning in the VMware Documetation sites that any enabled or connected devices as avenues of attack and for security reasons you should remove unnecessary hardware devices or disable them when not being used.

However, the VMware vSphere Design book[5] by Forbes Guthrie[6] and Scott Lowe[7] also gives a real world physical reason that Rationale: Each virtual hardware device assigned to a VM requires interrupts on the physical CPU; reducing the number of unnecessary interrupts reduces the overhead associated with a VM.”[4]

References:

  1. Virtual Machine Security Best Practices

  2. Securing Virtual Machines

  3. Security Best Practices and Scenarios

  4. VMware vSphere Design by Forbes Guthrie and Scott Lowe

  5. VMware vSphere Design by Forbes Guthrie and Scott Lowe

  6. Forbes Guthrie @forbesguthrie https://www.vreference.com

  7. Scott Lowe @scott_lowe https://blog.scottlowe.org

Up next 0045-what_are_the_vmware_tools 0047-vmware_kb_explained
Latest posts 0104-change-synology-password-cli 0105-free-git-ebook 0103-using-brew-bundle-to-backup-and-restore-mac-app-store-and-brew-apps Update macOS with an all in one alias Mac App Store Command Line Interface 0100-macos-softwareupdate-cli Markdown Crash Course Video What’s New with Fusion and Workstation [HCP1833] File IO in Python Overview of vSphere 7 Video 0095-what_is_iso Migrating Website HTML details Tag Microsoft RD Client iOS App 0091-create_vmware_esxi_usb_install_media Intel NUC Lab Hosts Hardware Setup 0089-installng_microsoft_sql_2016 Installing the First Two Domain Controllers in the VMware ESXi 6.7 Lab Environment 0088-deploy_vcsa_in_lab Macchanger Utility, and Usage Install a Kali Linux VM in a VMware ESXi 6.7 Environment Install Ubuntu 18.04 Virtual Machine in a VMware ESXi 6.7 Environment Install xRDP on Ubuntu 18.04 Install Chromium on Ubuntu 18.04 Install OpenSSH on Ubuntu 18.04 Install VMware Workstation 14 on Ubuntu 18.04 Nested ESXi server Laboratorium Rattus The Animal Within Who is Veeam? RSAC OnDemand Videos 0075-create_win10_sandbox_vm