VM settings for hardening

Products

VMware vSphere ESXi

Issue/Introduction

Part of hardening process for VMs the below commands are executed to harden all VMs.

Get-VM | New-AdvancedSetting -Name "RemoteDisplay.maxConnections" -value 1 -Force
Get-VM | New-AdvancedSetting -Name "isolation.tools.guestDnDVersionSet.disable" -value $true
Get-VM | New-AdvancedSetting -Name 'isolation.tools.dispTopoRequest.disable' -value $true
Get-VM | New-AdvancedSetting -Name 'isolation.tools.trashFolderState.disable' -value $true
Get-VM | New-AdvancedSetting -Name "isolation.tools.ghi.trayicon.disable" -value $true
Get-VM | New-AdvancedSetting -Name "isolation.tools.unity.disable" -value $true
Get-VM | New-AdvancedSetting -Name "isolation.tools.unityInterlockOperation.disable" -value $true
Get-VM | New-AdvancedSetting -Name "isolation.tools.getCreds.disable" -value $true
Get-VM | New-AdvancedSetting -Name "isolation.tools.hgfsServerSet.disable" -value $true
Get-VM | New-AdvancedSetting -Name "isolation.tools.ghi.launchmenu.change" -value $true
Get-VM | New-AdvancedSetting -Name "isolation.tools.ghi.autologon.disable" -value $true
Get-VM | New-AdvancedSetting -Name "isolation.tools.memSchedFakeSampleStats.disable" -value $true
Get-VM | New-AdvancedSetting -Name "isolation.tools.ghi.protocolhandler.info.disable" -value $true
Get-VM | New-AdvancedSetting -Name "isolation.tools.unity.taskbar.disable" -value $true
Get-VM | New-AdvancedSetting -Name "isolation.tools.unityActive.disable" -value $True
Get-VM | New-AdvancedSetting -Name 'isolation.tools.unity.windowContents.disable' -value $True
Get-VM | New-AdvancedSetting -Name "isolation.tools.unity.push.update.disable" -value $true
Get-VM | New-AdvancedSetting -Name "isolation.tools.vmxDnDVersionGet.disable" -value $true
Get-VM | New-AdvancedSetting -Name "isolation.ghi.host.shellAction.disable" -value $true
Get-VM | New-AdvancedSetting -Name "isolation.bios.bbs.disable" -value $true
Get-VM | New-AdvancedSetting -Name 'mks.enable3d' -value $false
Get-VM | New-AdvancedSetting -Name "tools.guestlib.enableHostInfo" -value $false

Environment

VMware vSphere ESXi 7.x

Resolution

It is recommended to perform this commands for a single VM. With a single VM the commands are safe to run while the VM is powered ON as all the commands are adding advanced configuration settings to the virtual machines.

Note: Some of the setting might require a VM power cycle to be implemented.

We do not recommend running the commands in bulk for all VMs as we cannot predict how it will work.

Below are the commands and explanation of their purposes:

Harden Command	Explanation
`Get-VM \| New-AdvancedSetting -Name "RemoteDisplay.maxConnections" -value 1 -Force`	Disables the possibility to have multiple remote connections via MKS
`Get-VM \| New-AdvancedSetting -Name "tools.guestlib.enableHostInfo" -value $false`	If enabled, the VM can obtain detailed information about the physical host. The default value for the parameter is FALSE. This setting should not be TRUE unless the specific VM requires this information for performance monitoring. An adversary potentially can use this information to inform further attacks on the host.
`Get-VM \| New-AdvancedSetting -Name "isolation.tools.hgfsServerSet.disable" -value $true`	Certain automated operations such as automated tools upgrades use a component into the hypervisor called "Host Guest File System" and an attacker could potentially use this to transfer files inside the guest OS
`Get-VM \| New-AdvancedSetting -Name "isolation.tools.ghi.trayicon.disable" -value $true`	Disables the VMware Tools system tray icon in the guest OS.
`Get-VM \| New-AdvancedSetting -Name 'mks.enable3d' -value $false`	Disables software 3d rendering for the MKS/VMRC.
`Get-VM \| New-AdvancedSetting -Name "isolation.tools.ghi.autologon.disable" -value $true`	Disable unexposed features - autologon
`Get-VM \| New-AdvancedSetting -Name "isolation.tools.unity.disable" -value $true` `Get-VM \| New-AdvancedSetting -Name "isolation.tools.unityInterlockOperation.disable" -value $true` `Get-VM \| New-AdvancedSetting -Name "isolation.tools.unity.taskbar.disable" -value $true` `Get-VM \| New-AdvancedSetting -Name "isolation.tools.unityActive.disable" -value $True` `Get-VM \| New-AdvancedSetting -Name 'isolation.tools.unity.windowContents.disable' -value $True` `Get-VM \| New-AdvancedSetting -Name "isolation.tools.unity.push.update.disable" -value $true` `Get-VM \| New-AdvancedSetting -Name "isolation.tools.guestDnDVersionSet.disable" -value $true` `Get-VM \| New-AdvancedSetting -Name 'isolation.tools.dispTopoRequest.disable' -value $true` `Get-VM \| New-AdvancedSetting -Name 'isolation.tools.trashFolderState.disable' -value $true` `Get-VM \| New-AdvancedSetting -Name "isolation.tools.getCreds.disable" -value $true` `Get-VM \| New-AdvancedSetting -Name "isolation.tools.ghi.launchmenu.change" -value $true` `Get-VM \| New-AdvancedSetting -Name "isolation.tools.memSchedFakeSampleStats.disable" -value $true` `Get-VM \| New-AdvancedSetting -Name "isolation.tools.ghi.protocolhandler.info.disable" -value $true` `Get-VM \| New-AdvancedSetting -Name "isolation.tools.vmxDnDVersionGet.disable" -value $true` `Get-VM \| New-AdvancedSetting -Name "isolation.ghi.host.shellAction.disable" -value $true` `Get-VM \| New-AdvancedSetting -Name "isolation.bios.bbs.disable" -value $true`	These settings disable features that are only available in VMware Workstation Pro, but are enabled by default.