Details
Any enabled or connected device represents a potential attack channel. Users and
processes without privileges on a virtual machine can connect or disconnect hardware
devices, such as network adapters and CD-ROM drives. Attackers can use this capability to
breach virtual machine security. Removing unnecessary hardware devices can help prevent
attacks.
*Rationale*
Ensure that no device is connected to a virtual machine if it is not required. For example,
serial and parallel ports are rarely used for virtual machines in a datacenter environment,
and CD/DVD drives are usually connected only temporarily during software installation.
For less commonly used devices that are not required, either the parameter should not be
present or its value must be FALSE.
NOTE- The parameters listed are not sufficient to ensure that a device is usable; other
parameters are required to indicate specifically how each device is instantiated. Any
enabled or connected device represents another potential attack channel.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
To implement the recommended configuration state, run the following PowerCLI
command-# In this Example you will need to add the functions from this post-
http-//blogs.vmware.com/vipowershell/2012/05/working-with-vm-devices-in-powercli.html
# Remove all Parallel Ports attached to VMs
Get-VM | Get-ParallelPort | Remove-ParallelPortImpact-
Virtual machine will need to be powered off to reverse change if any of these devices are
needed at a later time.Default Value-The prescribed state is not the default state.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system VMware.