Details
By default, remote console sessions can be connected to by more than one user at a time. Permit only one remote console connection to a VM at a time. Other attempts will be rejected until the first connection disconnects.
Rationale:
When multiple sessions are activated, each terminal window gets a notification about the new session. If an administrator in the VM logs in using a VMware remote console during their session, a non-administrator in the VM can connect to the console and observe the administrator’s actions. Also, this could result in an administrator losing console access to a VM. For example, if a jump box is being used for an open console session, and the admin loses a connection to that box, the console session remains open. Allowing two console sessions permits debugging via a shared session. For highest security, only one remote console session at a time should be allowed.
Solution
To permit only one remote console session at a time, run the following PowerCLI command for VMs that do not specify the setting:
# Add the setting to all VMs
Get-VM | New-AdvancedSetting -Name ‘RemoteDisplay.maxConnections’ -value 1
Run the following PowerCLI command for VMs that specify the setting but have the wrong value for it:
# Add the setting to all VMs
Get-VM | New-AdvancedSetting -Name ‘RemoteDisplay.maxConnections’ -value 1 -Force
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management, Identification and Authentication.This control applies to the following type of system VMware.