Details
Limit the max number of console connections to prevent non-administrators from
observing the VMs screen.
*Rationale*
By default, remote console sessions can be connected to by more than one user at a time.
When multiple sessions are activated, each terminal window gets a notification about the
new session. If an administrator in the VM logs in using a VMware remote console during
their session, a non-administrator in the VM can connect to the console and observe the
administrator’s actions. Also, this could result in an administrator losing console access to a
virtual machine. For example, if a jump box is being used for an open console session, and
the admin loses connection to that box, then the console session remains open. Allowing
two console sessions permits debugging via a shared session. For highest security, only one
remote console session at a time should be allowed.
Solution
To implement the recommended configuration state, run the following PowerCLI
command-# Add the setting to all VMs
Get-VM | New-AdvancedSetting -Name ‘RemoteDisplay.maxConnections’ -value 1Impact-Only one remote console connection to the VM will be permitted. Other attempts will be
rejected until the first session disconnects.Default Value-The prescribed state is not the default state.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system VMware.