vSphere 8 Security Hardening

The Secure Shell (SSH) of the ESXi host must be configured to use only FIPS 140–2/140–3 approved encryptions: esxi-8.ssh-fips-ciphers

VMware Tools is a set of tools that accelerate and improve the performance and efficiency of virtual machine operating systems and improve the management of virtual machines.

For example, by installing it, you can solve the following problems.

Low resolution graphics card
Inappropriate color depth
Incorrect display of network card speed
Encapsulated Mouse Movement
Inability to copy and drag – drop files
Sound loss and sound card issues
Ability to take snapshots of virtual operating systems

The VMware Tools package includes the following components:

VMware Tools service
VMware device drivers
VMware user process
VMware Tools control panel

VMware Tools Service

This service starts when the virtual machine operating system boots. This service rejects the information between the virtual machine and the hypervisor on the host, and this process runs in the Windows background of the virtual machine called vmtoolsd.exe in the list of processes, which is called vmware-tool-deamon in Mac operating systems and vmtoolsd in Linux. This service is able to do the following

Messages pass from the physical host to the virtual machine operating system except Mac OS
Running scripts that help automate some tasks in the virtual machine operating system
Synchronize time on virtual operating systems with hosting clocks except Mac OS
Ability to move the mouse freely between virtual machines and the main operating system, e.g. vmware workstation or vSphere client (exit from VM environment)
When a virtual machine is running under vSphere or vmware Server, heartbeat messages indicating that the virtual machine is running are sent by the service to VMware products.

VMware Tools Device Drivers

Improving mouse movement performance, folder sharing, improving audio, graphics, and network performance are other capabilities of this service that can be achieved with the help of Device drivers. At the time of installing VMware Tools you can specify which driver to install depending on the type of guest operating system. The following are supported with Device Drivers:

SVGA driver
SCSI driver
Paravirtual SCSI driver
VMXNet NIC drivers
Mouse driver
Audio driver
Kernel module for sharing folders
vmblock Module
vShield Endpoin
ThinPrint driver
Memory control driver
VMCI and VMCI Sockets drivers
Modules and drivers to support automatic backups of VMs

VMware User Process

With User Process, you can support some features such as copy/paste, drag/drop, and unity in VMware products. When the user logs in to the virtual machine operating system, this processing begins. The file involved in processing it is known as vmtoolsd.exe in Windows and in Linux as vmusr.

System services must be secured and strengthened when activated.

PowerCLI Assessment:

$ESXcli = Get-EsxCli -VMHost $ESXi -V2
$ESXcli.system.ssh.server.config.list.invoke() | Where-Object {$_.Key -eq 'ciphers'} | Select-Object -ExpandProperty Value

Fix the PowerCLI issue:

$ESXcli = Get-EsxCli -VMHost $ESXi -V2
$arguments = $ESXcli.system.ssh.server.config.set.CreateArgs()
$arguments.keyword = 'ciphers'
$arguments.value = 'aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
$ESXcli.system.ssh.server.config.set.Invoke($arguments)

Secure Shell (SSH) ESXi Host must disable the local Forwarding capability of the stream type: esxi-8.ssh-stream-local-forwarding

System services must be secured and strengthened when activated.

PowerCLI Assessment:

$ESXcli = Get-EsxCli -VMHost $ESXi -V2
$ESXcli.system.ssh.server.config.list.invoke() | Where-Object {$_.Key -eq 'allowstreamlocalforwarding'} | Select-Object -ExpandProperty Value

Fix the PowerCLI issue:

$ESXcli = Get-EsxCli -VMHost $ESXi -V2
$arguments = $ESXcli.system.ssh.server.config.set.CreateArgs()
$arguments.keyword = 'allowstreamlocalforwarding'
$arguments.value = 'no'
$ESXcli.system.ssh.server.config.set.Invoke($arguments)

Here, PowerCLI codes for evaluating and fixing SSH-related security issues on ESXi hosts that can help you strengthen the security of your virtual environment.

The ESXi host must configure Secure Shell (SSH) to disable TCP forwarding capability: esxi-8.ssh-tcp-forwarding

System services must be secured and strengthened when activated.

PowerCLI Assessment:

$ESXcli = Get-EsxCli -VMHost $ESXi -V2
$ESXcli.system.ssh.server.config.list.invoke() | Where-Object {$_.Key -eq 'allowtcpforwarding'} | Select-Object -ExpandProperty Value

Fix the PowerCLI issue:

$ESXcli = Get-EsxCli -VMHost $ESXi -V2
$arguments = $ESXcli.system.ssh.server.config.set.CreateArgs()
$arguments.keyword = 'allowtcpforwarding'
$arguments.value = 'no'
$ESXcli.system.ssh.server.config.set.Invoke($arguments)

The ESXi host must display the login banner before accessing the system: esxi-8.ssh-login-banner

System services must be secured and strengthened when activated. Also, you need to set the host's advanced Config.Etc.Issue parameter and provide text for this banner.

PowerCLI Assessment:

$ESXcli = Get-EsxCli -VMHost $ESXi -V2
$ESXcli.system.ssh.server.config.list.invoke() | Where-Object {$_.Key -eq 'banner'} | Select-Object -ExpandProperty Value

Fix the PowerCLI issue:

$ESXcli = Get-EsxCli -VMHost $ESXi -V2
$arguments = $ESXcli.system.ssh.server.config.set.CreateArgs()
$arguments.keyword = 'banner'
$arguments.value = '/etc/issue'
$ESXcli.system.ssh.server.config.set.Invoke($arguments)

ESXi Host Should Ignore `.rhosts` Files: esxi-8.ssh-rhosts

System services must be secured and strengthened when activated.

PowerCLI Assessment:

$ESXcli = Get-EsxCli -VMHost $ESXi -V2
$ESXcli.system.ssh.server.config.list.invoke() | Where-Object {$_.Key -eq 'ignorerhosts'} | Select-Object -ExpandProperty Value

Fix the PowerCLI issue:

$ESXcli = Get-EsxCli -VMHost $ESXi -V2
$arguments = $ESXcli.system.ssh.server.config.set.CreateArgs()
$arguments.keyword = 'ignorerhosts'
$arguments.value = 'yes'
$ESXcli.system.ssh.server.config.set.Invoke($arguments)

In this section, PowerCLI codes for evaluating and fixing SSH-related security issues on ESXi hosts that can help you strengthen the security of the virtual environment.

ESXi host should not allow host-based authentication: esxi-8.ssh-host-based-auth

System services must be secured and strengthened when activated.

PowerCLI Assessment:

$ESXcli = Get-EsxCli -VMHost $ESXi -V2
$ESXcli.system.ssh.server.config.list.invoke() | Where-Object {$_.Key -eq 'hostbasedauthentication'} | Select-Object -ExpandProperty Value

Fix the PowerCLI issue:

$ESXcli = Get-EsxCli -VMHost $ESXi -V2
$arguments = $ESXcli.system.ssh.server.config.set.CreateArgs()
$arguments.keyword = 'hostbasedauthentication'
$arguments.value = 'no'
$ESXcli.system.ssh.server.config.set.Invoke($arguments)

ESXi host should not allow the use of tunnels: esxi-8.ssh-tunnels

System services must be secured and strengthened when activated.

PowerCLI Assessment:

$ESXcli = Get-EsxCli -VMHost $ESXi -V2
$ESXcli.system.ssh.server.config.list.invoke() | Where-Object {$_.Key -eq 'permittunnel'} | Select-Object -ExpandProperty Value

Fix the PowerCLI issue:

$ESXcli = Get-EsxCli -VMHost $ESXi -V2
$arguments = $ESXcli.system.ssh.server.config.set.CreateArgs()
$arguments.keyword = 'permittunnel'
$arguments.value = 'no'
$ESXcli.system.ssh.server.config.set.Invoke($arguments)

ESXi host should not allow user environmental settings: esxi-8.ssh-user-environment

System services must be secured and strengthened when activated.

PowerCLI Assessment:

$ESXcli = Get-EsxCli -VMHost $ESXi -V2
$ESXcli.system.ssh.server.config.list.invoke() | Where-Object {$_.Key -eq 'permituserenvironment'} | Select-Object -ExpandProperty Value

Fix the PowerCLI issue:

$ESXcli = Get-EsxCli -VMHost $ESXi -V2
$arguments = $ESXcli.system.ssh.server.config.set.CreateArgs()
$arguments.keyword = 'permituserenvironment'
$arguments.value = 'no'
$ESXcli.system.ssh.server.config.set.Invoke($arguments)

In this section, PowerCLI codes for evaluating and fixing SSH-related security issues on ESXi hosts that can help you strengthen the security of the virtual environment.

ESXi host needs to set up a timeout counter for inactive sessions: esxi-8.ssh-idle-timeout-count

System services must be secured and strengthened when activated. The timeout counter, multiplied by the inactive timeout interval, specifies the number of seconds the session may remain inactive until it is interrupted.

PowerCLI Assessment:

$ESXcli = Get-EsxCli -VMHost $ESXi -V2
$ESXcli.system.ssh.server.config.list.invoke() | Where-Object {$_.Key -eq 'clientalivecountmax'} | Select-Object -ExpandProperty Value

Fix the PowerCLI issue:

$ESXcli = Get-EsxCli -VMHost $ESXi -V2
$arguments = $ESXcli.system.ssh.server.config.set.CreateArgs()
$arguments.keyword = 'clientalivecountmax'
$arguments.value = '3'
$ESXcli.system.ssh.server.config.set.Invoke($arguments)

ESXi host needs to set a timeout interval for inactive sessions: esxi-8.ssh-idle-timeout-interval

PowerCLI Assessment:

$ESXcli = Get-EsxCli -VMHost $ESXi -V2
$ESXcli.system.ssh.server.config.list.invoke() | Where-Object {$_.Key -eq 'clientaliveinterval'} | Select-Object -ExpandProperty Value

Fix the PowerCLI issue:

$ESXcli = Get-EsxCli -VMHost $ESXi -V2
$arguments = $ESXcli.system.ssh.server.config.set.CreateArgs()
$arguments.keyword = 'clientaliveinterval'
$arguments.value = '200'
$ESXcli.system.ssh.server.config.set.Invoke($arguments)

ESXi Host must use FIPS 140–2/140–3 approved cryptographic modules: esxi-8.ssh-fips

OpenSSH is sent to the ESXi host by default with the FIPS 140–2/140–3 verified cryptographic module enabled. Due to backward compatibility reasons, this feature may have been disabled. Therefore, these settings should be reviewed and modified if necessary.

PowerCLI Assessment:

$ESXcli = Get-EsxCli -VMHost $ESXi -V2
$ESXcli.system.security.fips140.ssh.get.Invoke()

Fix the PowerCLI issue:

$ESXcli = Get-EsxCli -VMHost $ESXi -V2
$arguments = $ESXcli.system.security.fips140.ssh.set.CreateArgs()
$arguments.enable = $true
$ESXcli.system.security.fips140.ssh.set.Invoke($arguments)

In this section, PowerCLI codes for evaluating and fixing SSH-related security issues on ESXi hosts that can help you strengthen the security of the virtual environment.

The guest operating system should automatically configure the VMware Tools update according to the environment: guest-8.tools-upgrade

VMware Tools updates can be initiated by vSphere, which can help maintain up-to-date versions of VMware Tools. This feature should be disabled if VMware Tools is managed and updated through other methods. This standard suggests that automatic updates remain enabled.

PowerCLI Assessment:

C:\Program Files\VMware\VMware Tools\VMwareToolboxCmd.exe config get autoupgrade allow-upgrade

Fix the PowerCLI issue:

C:\Program Files\VMware\VMware Tools\VMwareToolboxCmd.exe config set autoupgrade allow-upgrade true

Guest OS should disable Appinfo information unless needed: guest-8.tools-deactivate-appinfo

Appinfo is a way to explore apps through VMware Tools. Disable this module to reduce the attack level, unless this tool is used.

PowerCLI Assessment:

C:\Program Files\VMware\VMware Tools\VMwareToolboxCmd.exe config get appinfo disabled

Fix the PowerCLI issue:

C:\Program Files\VMware\VMware Tools\VMwareToolboxCmd.exe config set appinfo disabled true

Guest OS should disable ContainerInfo unless needed: guest-8.tools-deactivate-containerinfo

The VMware Tools ContainerInfo module for Linux compiles a list of containers running inside the Linux guest operating system.

PowerCLI Assessment:

C:\Program Files\VMware\VMware Tools\VMwareToolboxCmd.exe config get containerinfo poll-interval

Fix the PowerCLI issue:

C:\Program Files\VMware\VMware Tools\VMwareToolboxCmd.exe config set containerinfo poll-interval 0

Here are the PowerCLI codes for evaluating and fixing security issues related to VMware Tools on guest operating systems, which can help you strengthen the security and better manage these tools.

Guest OS should disable Guest Operations unless it is needed: guest-8.tools-deactivate-guestoperations

Guest operations are a set of functions that underpin most of the host's interactions with the guest. Disabling them reduces the attack surface of ESXi but dramatically reduces performance. Make sure your environment doesn't require these functions. Don't do this on template VMs.

PowerCLI Assessment:

C:\Program Files\VMware\VMware Tools\VMwareToolboxCmd.exe config get guestoperations disabled

Fix the PowerCLI issue:

C:\Program Files\VMware\VMware Tools\VMwareToolboxCmd.exe config set guestoperations disabled true

Guest OS must enable Secure Boot: guest-8.secure-boot

Supported by all modern guest platforms, Secure Boot uses public key cryptography to validate hardware, bootloader, drivers, and the operating system kernel. This feature effectively prevents malware as it prevents the system from booting with an invalid boot chain.

PowerCLI Assessment:

(Get-VM -Name $VM).ExtensionData.Config.BootOptions.EfiSecureBootEnabled

Fix the PowerCLI issue:

$VMobj = (Get-VM -Name $VM)
$ConfigSpec = New-Object VMware.Vim.VirtualMachineConfigSpec
$bootOptions = New-Object VMware.Vim.VirtualMachineBootOptions
$bootOptions.EfiSecureBootEnabled = $true
$ConfigSpec.BootOptions = $bootOptions
$task = $VMobj.ExtensionData.ReconfigVM_Task($ConfigSpec)

The guest operating system should ensure that the virtual machine hardware is version 19 or newer, where it is supported: guest-8.virtual-hardware

Virtual hardware 19 is compatible with ESXi 7.0 Update 2 and later. Newer versions of virtual hardware enable better features and performance. If you've fully upgraded to vSphere 8, consider upgrading to VM Hardware 21. Other VMware guidelines recommend caution in the update. Snapshots capture the hardware version of the virtual machine, which makes it easier to test and revert back to previous versions. Consider all the places where a virtual machine may run or need to be restored. Changes in the configuration of VMware-provisioned virtual machines are not supported and may result in disruption of Services. This entry is deliberately categorized as "in-guest" due to the updates that are made when updating a virtual machine, despite the low impact.

PowerCLI Assessment:

(Get-VM -Name $VM | Get-View).Config.Version

Fix the PowerCLI issue:

Set-VM -Name $VM -HardwareVersion vmx-21

This section includes PowerCLI codes for evaluating and fixing security issues and configuring virtual machines in VMware systems, which can help you have better security and performance in your virtual environment.

Guest firmware should ensure that VMware Tools is up to date: guest-8.tools-updates

VMware Tools is an essential part of the VMware ecosystem that allows guest platforms to properly shut down and manage throughout their lifecycle, provides drivers for virtualized para devices, and helps deploy and customize virtual machines from templates. Like other software, VMware Tools needs to be managed and updated. Make sure you're running a supported version for your guest OS, whether it's delivered as part of a Linux distribution or installed by you for Microsoft Windows.

PowerCLI Assessment:

Get-VM -Name $VM | Select-Object -Property Name,@{Name='ToolsVersion';Expression={$_.Guest.ToolsVersion}}

PowerCLI Fix: Depending on your site and environment. There are several ways to update VMware Tools. The vmxnet3 and pvscsi drivers are also available via Windows Update, please make sure you import them into tools like WSUS.

Guest OS should prevent VMware Tools features from being added automatically: guest-8.tools-add-feature

VMware Tools' automatic update processes can add or remove features from the VMware Tools installation, which can be useful but also provide an opportunity to change the security profile of the guest operating system through vSphere.

PowerCLI Assessment:

C:\Program Files\VMware\VMware Tools\VMwareToolboxCmd.exe config get autoupgrade allow-add-feature

Fix the PowerCLI issue:

C:\Program Files\VMware\VMware Tools\VMwareToolboxCmd.exe config set autoupgrade allow-add-feature false

Guest OS should restrict the use of MSI transforms when reconfiguring VMware Tools: guest-8.tools-allow-transforms

MSI transforms allow the installation database to be changed on Microsoft Windows guest operating systems. This can be useful, but it also provides an opportunity to change the security profile of the guest operating system through vSphere.

PowerCLI Assessment:

C:\Program Files\VMware\VMware Tools\VMwareToolboxCmd.exe config get autoupgrade allow-msi-transforms

Fix the PowerCLI issue:

C:\Program Files\VMware\VMware Tools\VMwareToolboxCmd.exe config set autoupgrade allow-msi-transforms false

These PowerCLI settings and codes help ensure that VMware Tools are updated and configured effectively while maintaining the security of your environment.

The vCenter server should use the vSphere Authentication Proxy to prevent Active Directory credentials from being stored: esxi-8.ad-auth-proxy

vSphere Authentication Proxy allows vCenter to connect to and manage AD entities without directly storing Active Directory (AD) credentials, which reduces the risk of disclosure or misuse of credentials.

PowerCLI Assessment:

Get-VMHost -Name $ESXi | Get-VMHostAuthentication | Select-Object VMHost,Domain,DomainMembershipStatus

Virtual machines should disable console copy operations: vm-8.deactivate-console-copy

Disabling console copy operations on virtual machines prevents data from being copied between the virtual machine and the local client, regardless of whether the user has access to the web console, VMRC, or another method.

PowerCLI Assessment:

Get-VM -Name $VM | Get-AdvancedSetting isolation.tools.copy.disable

Fix the PowerCLI issue:

Get-VM -Name $VM | Get-AdvancedSetting -Name isolation.tools.copy.disable | Remove-AdvancedSetting

Virtual machines should disable the console's drag-and-drop operations: vm-8.isolation-tools-dnd-deactivate

Disabling drag-and-drop operations on the virtual machine console prevents data from being transferred between the virtual machine and the local client, regardless of the type of console, which helps increase data security.

PowerCLI Assessment:

Get-VM -Name $VM | Get-AdvancedSetting isolation.tools.dnd.disable

Fix the PowerCLI issue:

Get-VM -Name $VM | Get-AdvancedSetting -Name isolation.tools.dnd.disable | Remove-AdvancedSetting

These PowerCLI settings and codes help you improve the security of your virtual machines and vCenter server by disabling copy-drag-and-drop operations that may cause data leaks. The security of Active Directory credentials is also enhanced by using vSphere Authentication Proxy.

Virtual machines should disable console paste operations: vm-8.deactivate-console-paste

Disabling console paste operations on virtual machines prevents data from being transferred from the local client to the virtual machine, whether the user is using a web console, VMRC, or another console.

PowerCLI Assessment:

Get-VM -Name $VM | Get-AdvancedSetting isolation.tools.paste.disable

Fix the PowerCLI issue:

Get-VM -Name $VM | Get-AdvancedSetting -Name isolation.tools.paste.disable | Remove-AdvancedSetting

Virtual machines should disable virtual disk miniaturization operations: vm-8.deactivate-disk-shrinking-shrink

Disabling virtual disk minification operations on virtual machines helps prevent disk inaccessibility issues. The ability to perform these operations is usually limited to non-admin users in a guest environment.

PowerCLI Assessment:

Get-VM -Name $VM | Get-AdvancedSetting isolation.tools.diskShrink.disable

Fix the PowerCLI issue:

Get-VM -Name $VM | Get-AdvancedSetting -Name isolation.tools.diskShrink.disable | Remove-AdvancedSetting

Virtual machines should disable virtual disk cleanup operations: vm-8.deactivate-disk-shrinking-wiper

Disabling virtual disk cleanup operations on virtual machines helps prevent disk inaccessibility issues. The ability to perform these operations is usually limited to non-admin users in a guest environment.

PowerCLI Assessment:

Get-VM -Name $VM | Get-AdvancedSetting isolation.tools.diskWiper.disable

Fix the PowerCLI issue:

Get-VM -Name $VM | Get-AdvancedSetting -Name isolation.tools.diskWiper.disable | Remove-AdvancedSetting

Virtual machines should be restricted to console sharing: vm-8.limit-console-connections

Limiting virtual machine console sharing to one user prevents multiple views and increases security. However, this may indirectly provide a path to cause disruption to the service.

PowerCLI Assessment:

Get-VM -Name $VM | Get-AdvancedSetting RemoteDisplay.maxConnections

Fix the PowerCLI issue:

Get-VM -Name $VM | Get-AdvancedSetting RemoteDisplay.maxConnections | Set-AdvancedSetting -Value 1

These PowerCLI settings and codes will help you improve the security of your virtual machines by disabling operations such as docking the console, minimizing the disk, cleaning up the disk, and restricting the sharing of the console, and prevent potential vulnerabilities.

Virtual machines should limit the passthrough capability of the PCI device: vm-8.pci-passthrough

DirectPath I/O features allow virtual machines to access system hardware directly, which affects risk mitigation tools such as vMotion, DRS, and High Availability. This feature also gives attackers access to high-rated hardware. Make sure that only essential virtual machines have this privilege and that the security of the guest system is set up correctly.

PowerCLI Assessment:

Get-VM -Name $VM | Get-PassthroughDevice

Fix the PowerCLI issue:

Get-VM -Name $VM | Get-PassthroughDevice | Remove-PassthroughDevice

Virtual machines should prevent unauthorized removal, connection, and modification of devices: vm-8.isolation-device-connectable-deactivate

Preventing unauthorized device modifications to virtual machines prevents users or non-managerial processes from connecting, disconnecting, or setting device settings. This measure prevents unauthorized access and disruption of operations, reduces the risks of inaccessibility to the service, and blocks some paths for data extraction.

PowerCLI Assessment:

Get-VM -Name $VM | Get-AdvancedSetting isolation.device.connectable.disable

Fix the PowerCLI issue:

Get-VM -Name $VM | Get-AdvancedSetting -Name isolation.device.connectable.disable | Remove-AdvancedSetting

Virtual machines should remove unnecessary virtual hardware: vm-8.remove-unnecessary-devices

Removing unnecessary virtual hardware from virtual machines helps reduce the attack surface. Rarely used ports, temporary CD/DVD drives, and hardware imported through migrations may be vulnerable. Removing these hardware reduces the risk of introducing malware or extracting data from the protected environment.

PowerCLI Assessment:

$VMview = Get-VM -Name $VM | Get-View
$UnnecessaryHardware = "VirtualUSBController|VirtualUSBXHCIController|VirtualParallelPort|VirtualFloppy|VirtualSerialPort|VirtualHdAudioCard|VirtualAHCIController|VirtualEnsoniq1371|VirtualCdrom"

$VMview.Config.Hardware.Device | Where-Object {$_.GetType().Name -match $UnnecessaryHardware} | Foreach-Object {
  $devname = $_.GetType().Name
  Write-Host "$VM`: [WARNING] VM has a $devname device. Please evaluate and consider removing." -ForegroundColor Yellow
}

These settings help increase the security of your virtual machines and prevent the potential for vulnerabilities of unnecessary devices and hardware...

சிந்தாதிரிப்பேட்டை

Friday, March 7, 2025