Details
Any enabled or connected device represents a potential attack channel. Users and
processes without privileges on a virtual machine can connect or disconnect hardware
devices, such as network adapters and CD-ROM drives. Attackers can use this capability to
breach virtual machine security. Removing unnecessary hardware devices can help prevent
attacks.
*Rationale*
Besides disabling unnecessary virtual devices from within the virtual machine, you should
ensure that no device is connected to a virtual machine if it is not required to be there. For
example, serial and parallel ports are rarely used for virtual machines in a datacenter
environment, and CD/DVD drives are usually connected only temporarily during software
installation. For less commonly used devices that are not required, either the parameter
should not be present or its value must be FALSE.NOTE- The parameters listed are not sufficient to ensure that a device is usable; other
parameters are required to indicate specifically how each device is instantiated. Any
enabled or connected device represents another potential attack channel.
http://pubs.vmware.com/vsphere-51/topic/com.vmware.vsphere.security.doc/GUID-822B2ED3-D8D2-4F57-8335-CA46E915A729.html
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
To implement the recommended configuration state, run the following PowerCLI
command-# Remove all CD/DVD Drives attached to VMs
Get-VM | Get-CDDrive | Remove-CDDrive
Impact-Virtual machine will need to be powered off to reverse change if any of these devices are
needed at a later time.
Default Value-The prescribed state is not the default state.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: System and Information Integrity.This control applies to the following type of system VMware.