Details
Setting isolation.tools.hgfsServerSet.disable to true disables registration of the guest’s HGFS server with the host. APIs that use HGFS to transfer files to and from the guest operating system, such as some VIX commands, will not function. An attacker could potentially use this to transfer files inside the guest OS.
Solution
From the vSphere Client select the Virtual Machine right click and go to Edit Settings >> VM Options Tab >> Advanced >> Configuration Parameters. Find the isolation.tools.hgfsServerSet.disable value and set it to true. If the setting does not exist click ‘Add Row’ to add the setting to the virtual machine.
Note: The VM must be powered off to configure the advanced settings through the vSphere Client so it is recommended to configure these settings with PowerCLI as it can be done while the VM is powered on.
or
From a PowerCLI command prompt while connected to the ESXi host or vCenter server run the following command:
If the setting does not exist run:
Get-VM ‘VM Name’ | New-AdvancedSetting -Name isolation.tools.hgfsServerSet.disable -Value true
If the setting exists run:
Get-VM ‘VM Name’ | Get-AdvancedSetting -Name isolation.tools.hgfsServerSet.disable | Set-AdvancedSetting -Value true
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system VMware.
References
- 800-53|CM-6b.
- CAT|II
- CCI|CCI-000366
- Group-ID|V-64053
- Rule-ID|SV-78543r1_rule
- STIG-ID|VMCH-06-000008
- Vuln-ID|V-64053