Details
In a virtual machine, users and processes without root or administrator privileges can disconnect devices, such as network adapters and CD-ROM drives, and modify device settings within the guest operating system. These actions should be prevented.
Rationale:
Disabling unauthorized modification and disconnection of devices helps prevents unauthorized changes within the guest operating system, which could be used to gain unauthorized access, cause denial of service conditions, and otherwise negatively affect the security of the guest operating system.
Solution
To prevent unauthorized device modifications and disconnections, run the following PowerCLI command:
# Add the setting to all VMs
Get-VM | New-AdvancedSetting -Name ‘isolation.device.edit.disable’ -value $true
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system VMware.