Installing the VMware Tools package inside a VMware virtual machine improves overall performance and allows the use of advanced features and faster virtual hardware drivers. The installation package also installs a tray icon that controls guest access to virtual hardware, time synchronization, etc. Since most virtual machines are servers and end users don’t typically access the console of a server, worries about the security implications of leaving that tray application running have been fairly minimal. However, as firms move towards solutions like virtualized XenApp servers or virtual desktops, this becomes more of a concern.
Removing administrator access to end users is unfortunately not enough. For example, a user can open the VMware Tools tray icon and select the Devices tab, and from there can uncheck “NIC1” and click Apply. What happens? You guessed it – the virtual NIC is disconnected and the user loses connection. That’s bad in a virtual desktop environment since it will orphan the desktop and likely require a connection broker like XenDesktop to create another desktop but it is even worse on a XenApp server where the user potentially just disconnected dozens of other users as well.
This, and several other things found in the VMware Tools, can be dangerous to leave available to an end user even if they have no rights to the server itself. To get around this, there are two approaches that make sense:
1) Remove access to the VMware Tools for end users.
2) Modify the VMX configuration file to prevent these actions.
I prefer the second method since it allows for more granular control over security, though if you’re interested in option one then you can read VMware’s KB article on the subject. In order to prevent this at the VMX (virtual machine configuration file) level, simply add the following lines to the virtual machine(s) that you wish to protect (after powering it down):
isolation.device.connectable.disable = “true”
isolation.device.edit.disable = “true”
To see how to add one of these values to the VMX file via PowerShell and PowerCLI, it would look something like this:
$vm = Get-View (Get-VM NameofVM).ID
$vmConfigSpec = New-Object VMware.Vim.VirtualMachineConfigSpec
$vmConfigSpec.extraconfig += New-Object VMware.Vim.optionvalue
$vmConfigSpec.extraconfig[0].Key=”isolation.device.connectable.disable“
$vmConfigSpec.extraconfig[0].Value=”true”
$vm.ReconfigVM($vmConfigSpec)
There are many other security parameters that can be set in the VMX file that are covered in VMware’s Security Hardening document (PDF). The document covers this and many other common security best practices for virtual machines. As always, test any change you make (especially the script above) before putting anything into production.