Virtual machines (VMs) must be configured to lock when the last console connection is closed.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-258714 | VMCH-80-000201 | SV-258714r933203_rule | Medium |
| Description |
|---|
| When accessing the VM console, the guest operating system must be locked when the last console user disconnects, limiting the possibility of session hijacking. This setting only applies to Windows-based VMs with VMware tools installed. |
| STIG | Date |
|---|---|
| VMware vSphere 8.0 Virtual Machine Security Technical Implementation Guide | 2023-10-11 |
Details
| Check Text ( C-62454r933201_chk ) |
|---|
| For each virtual machine do the following: From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> VM Options >> VMware Remote Console Options. Verify the option "Lock the guest operating system when the last remote user disconnects" is checked. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name tools.guest.desktop.autolock If the virtual machine advanced setting "tools.guest.desktop.autolock" is not set to "true", this is a finding. If the virtual machine advanced setting "tools.guest.desktop.autolock" does not exist, this is not a finding. |
| Fix Text (F-62363r933202_fix) |
|---|
| For each virtual machine do the following: From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> VM Options >> VMware Remote Console Options. Check the box next to "Lock the guest operating system when the last remote user disconnects". Click "OK". or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name tools.guest.desktop.autolock | Set-AdvancedSetting -Value true |