Details
By default, VM disks use dependent mode, which means they are affected by snapshots. To
avoid this, VM disks can use independent mode instead. Independent mode can be configured
as persistent (data is written permanently to the disk) or nonpersistent (all
changes made to disk are lost when the system is rebooted). Use of nonpersistent mode
should be avoided unless the data is not needed (e.g., already duplicated elsewhere).
*Rationale*
From a security standpoint, nonpersistent mode allows successful attackers to remove
evidence of their actions or even their presence within a VM by performing a simple shutdown or reboot.
Solution
To limit the use of nonpersistent mode, run the following PowerCLI command:
#Alter the parameters for the following cmdlet to set the VM Disk Type-
Get-VM | Get-HardDisk | Set-HardDisk
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Audit and Accountability.This control applies to the following type of system VMware.