Foundation Topic

Here’s a foundation topic, whose rationale fits in the virtual world just as it did in the physical world.

Unnecessary or accessible hardware devices can be used against you by attackers to gain access or compromise information. Unlike the physical world, where we can just lock hardware away in racks, the virtual world requires you to remove or disable the devices.

Alright, I understand removing unused hardware devices. I don’t even remember the last time I mounted a flp image to a floppy drive and the COM/LPT ports and NICs not being used, easy peasy, remove them.

But the device I see getting the most resistance from other engineers is the CD/DVD drives. I can see the need to enforce a policy of sorts as I find mounted ISOs all the time, just left lonely and neglected after an install.

I see three options:

Do nothing and have a script unmount ISOs and remove specific hardware device on a scheduled basis. This would be more reactionary and still leave opportunity for compromise

Disable the CD/DVD when not in use and enable and connect when needed.

Delete the CD/DVD when not in use and add it when needed. The majority of the time I’ll mount an ISO using the Guest OS, so there will little change to my processes.

It would seem that the options of disabling and deleting sound about the same amount of work/time.

What do you do in the real world?

Best Practice

The removal of unnecessary hardware devices from a virtual machine has been a VMware best practice that has existed since at least version 4. [1,2,3]

This includes devices such as Floppy disks, CD/DVD drives, COM/LPT ports, network cards, and storage cards.

The reasoning in the VMware Documetation sites that any enabled or connected devices as avenues of attack and for security reasons you should remove unnecessary hardware devices or disable them when not being used.

However, the VMware vSphere Design book[5] by Forbes Guthrie[6] and Scott Lowe[7] also gives a real world physical reason that Rationale: Each virtual hardware device assigned to a VM requires interrupts on the physical CPU; reducing the number of unnecessary interrupts reduces the overhead associated with a VM.”[4]


  1. Virtual Machine Security Best Practices

  2. Securing Virtual Machines

  3. Security Best Practices and Scenarios

  4. VMware vSphere Design by Forbes Guthrie and Scott Lowe

  5. VMware vSphere Design by Forbes Guthrie and Scott Lowe

  6. Forbes Guthrie @forbesguthrie https://www.vreference.com

  7. Scott Lowe @scott_lowe https://blog.scottlowe.org

Up next 0045-what_are_the_vmware_tools 0047-vmware_kb_explained
Latest posts 0104-change-synology-password-cli 0105-free-git-ebook 0103-using-brew-bundle-to-backup-and-restore-mac-app-store-and-brew-apps Update macOS with an all in one alias Mac App Store Command Line Interface 0100-macos-softwareupdate-cli Markdown Crash Course Video What’s New with Fusion and Workstation [HCP1833] File IO in Python Overview of vSphere 7 Video 0095-what_is_iso Migrating Website HTML details Tag Microsoft RD Client iOS App 0091-create_vmware_esxi_usb_install_media Intel NUC Lab Hosts Hardware Setup 0089-installng_microsoft_sql_2016 Installing the First Two Domain Controllers in the VMware ESXi 6.7 Lab Environment 0088-deploy_vcsa_in_lab Macchanger Utility, and Usage Install a Kali Linux VM in a VMware ESXi 6.7 Environment Install Ubuntu 18.04 Virtual Machine in a VMware ESXi 6.7 Environment Install xRDP on Ubuntu 18.04 Install Chromium on Ubuntu 18.04 Install OpenSSH on Ubuntu 18.04 Install VMware Workstation 14 on Ubuntu 18.04 Nested ESXi server Laboratorium Rattus The Animal Within Who is Veeam? RSAC OnDemand Videos 0075-create_win10_sandbox_vm