| V-39442 | High | The system must control virtual machine access to host resources. | By default, all virtual machines on an ESXi host share the resources equally. By using the resource management capabilities of ESXi, such as shares and limits, you can control the server resources... |
| V-39448 | High | The system must disable virtual disk shrinking.
| Shrinking a virtual disk reclaims unused space in it. If there is empty space in the disk, this process reduces the amount of space the virtual disk occupies on the host drive. Normal users and... |
| V-39449 | High | The system must disable virtual disk erasure.
| Shrinking and wiping (erasing) a virtual disk reclaims unused space in it. If there is empty space in the disk, this process reduces the amount of space the virtual disk occupies on the host... |
| V-39451 | High | The system must not use independent, non-persistent disks.
| The security issue with non-persistent disk mode is that successful attackers, with a simple shutdown or reboot, might undo or remove any traces that they were ever on the machine. To safeguard... |
| V-39489 | Medium | The system must disconnect unauthorized floppy devices.
| Besides disabling unnecessary virtual devices from within the virtual machine, ensure no device is connected to a virtual machine if it is not required to be there. For example, serial and... |
| V-39490 | Medium | The system must disconnect unauthorized IDE devices.
| Besides disabling unnecessary virtual devices from within the virtual machine, ensure no device is connected to a virtual machine if it is not required to be there. For example, serial and... |
| V-39508 | Medium | The system must control access to VMs through the VMsafe CPU/memory vmsafe.enable API. | The VMsafe CPU/memory API allows a security virtual machine to inspect and modify the contents of the memory and CPU registers on other VMs, for the purpose of detecting and preventing malware... |
| V-39503 | Medium | The system must use secure protocols for virtual serial port access.
| Serial ports are interfaces for connecting peripherals to the virtual machine. They are often used on physical systems to provide a direct, low-level connection to the console of a server, and a... |
| V-39499 | Medium | The system must prevent unauthorized removal, connection and modification of devices by setting the isolation.device.connectable.disable keyword to true.
| Normal users and processes-that is, users and processes without root or administrator privileges-within virtual machines have the capability to connect or disconnect devices, such as network... |
| V-39498 | Medium | The system must minimize use of the VM console.
| The VM console enables a connection to the console of a virtual machine, in effect seeing what a monitor on a physical server would show. The VM console also provides power management and... |
| V-39495 | Medium | The system must limit VM logging records.
| Use these settings to limit the total size and number of log files. Normally a new log file is created only when a host is rebooted, so the file can grow to be quite large. Ensure new log files... |
| V-39494 | Medium | The system must limit sharing of console connections.
| By default, remote console sessions can be connected to by more than one user at a time. When multiple sessions are activated, each terminal window gets a notification about the new session. If... |
| V-39496 | Medium | The system must limit VM logging record contents.
| Use these settings to limit the total size and number of log files. Normally a new log file is created only when a host is rebooted, so the file can grow to be quite large. Ensure new log files... |
| V-39491 | Medium | The system must disconnect unauthorized parallel devices.
| Besides disabling unnecessary virtual devices from within the virtual machine, ensure no device is connected to a virtual machine if it is not required to be there. For example, serial and... |
| V-39501 | Medium | The system must not send host information to guests.
| If enabled, a VM can obtain detailed information about the physical host. The default value for the parameter is FALSE. This setting should not be TRUE unless a particular VM requires this... |
| V-39493 | Medium | The system must disconnect unauthorized USB devices.
| Besides disabling unnecessary virtual devices from within the virtual machine, ensure no device is connected to a virtual machine if it is not required to be there. For example, serial and... |
| V-39492 | Medium | The system must disconnect unauthorized serial devices.
| Besides disabling unnecessary virtual devices from within the virtual machine, ensure no device is connected to a virtual machine if it is not required to be there. For example, serial and... |
| V-39500 | Medium | The system must prevent unauthorized removal, connection and modification of devices.
| Normal users and processes-that is, users and processes without root or administrator privileges-within virtual machines have the capability to connect or disconnect devices, such as network... |
| V-39507 | Medium | The system must control access to VMs through the VMsafe CPU/memory vmsafe.agentPort API. | The VMsafe CPU/memory API allows a security virtual machine to inspect and modify the contents of the memory and CPU registers on other VMs, for the purpose of detecting and preventing malware... |
| V-39506 | Medium | The system must control access to VMs through VMsafe CPU/memory APIs.
| The VMsafe CPU/memory API allows a security virtual machine to inspect and modify the contents of the memory and CPU registers on other VMs, for the purpose of detecting and preventing malware... |
| V-39450 | Medium | The system must disable HGFS file transfers.
| Certain automated operations such as automated tools upgrades, use a component into the hypervisor called "Host Guest File System" and an attacker could potentially use this to transfer files... |
| V-39453 | Medium | The system must disable VM logging, unless required. | Excessive VM logging may degrade system performance. The following settings can be used to limit the total size and number of log files. Normally a new log file is created only when a host is... |
| V-39452 | Medium | The system must disable VM-to-VM communication through VMCI.
| If the interface is not restricted, a VM can detect and be detected by all other VMs with the same option enabled within the same host. This might be the intended behavior, but custom-built... |
| V-39454 | Medium | The system must disable VM Monitor Control during normal operation.
| When Virtual Machines are running on a hypervisor they are "aware" that they are running in a virtual environment and this information is available to tools inside the guest OS. This can give... |
| V-39488 | Low | The system must disable VIX messages from the VM.
| The VIX API is a library for writing scripts and programs to manipulate virtual machines. If custom VIX programming is not used in the environment, then disable features to reduce the potential... |
| V-39482 | Low | The unexposed feature keyword isolation.tools.unity.push.update.disable must be initialized to decrease the VMs potential attack vectors. | Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply... |
| V-39483 | Low | The unexposed feature keyword isolation.tools.unity.taskbar.disable must be initialized to decrease the VMs potential attack vectors. | Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply... |
| V-39480 | Low | The unexposed feature keyword isolation.tools.unity.disable must be initialized to decrease the VMs potential attack vectors. | Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply... |
| V-39481 | Low | The unexposed feature keyword isolation.tools.unityInterlockOperation.disable must be initialized to decrease the VMs potential attack vectors. | Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply... |
| V-39486 | Low | The unexposed feature keyword isolation.tools.vmxDnDVersionGet.disable must be initialized to decrease the VMs potential attack vectors. | Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply... |
| V-39487 | Low | The unexposed feature keyword isolation.tools.guestDnDVersionSet.disable must be initialized to decrease the VMs potential attack vectors. | Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply... |
| V-39484 | Low | The unexposed feature keyword isolation.tools.unityActive.disable must be initialized to decrease the VMs potential attack vectors. | Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply... |
| V-39485 | Low | The unexposed feature keyword isolation.tools.unity.windowContents.disable must be initialized to decrease the VMs potential attack vectors. | Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply... |
| V-39477 | Low | The unexposed feature keyword isolation.tools.dispTopoRequest.disable must be initialized to decrease the VMs potential attack vectors. | Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply... |
| V-39461 | Low | The unexposed feature keyword isolation.tools.memSchedFakeSampleStats.disable must be initialized to decrease the VMs potential attack vectors. | Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply... |
| V-39462 | Low | The unexposed feature keyword isolation.tools.ghi.protocolhandler.info.disable must be initialized to decrease the VMs potential attack vectors. | Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply... |
| V-39463 | Low | The unexposed feature keyword isolation.ghi.host.shellAction.disable must be initialized to decrease the VMs potential attack vectors. | Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply... |
| V-39446 | Low | The system must explicitly disable any GUI functionality for copy/paste operations.
| Copy and paste operations are disabled by default; however, by explicitly disabling this feature it will enable audit controls to check that this setting is correct. Copy, paste, drag and drop, or... |
| V-39447 | Low | The system must explicitly disable paste operations.
| Copy and paste operations are disabled by default; however, by explicitly disabling this feature it will enable audit controls to check that this setting is correct. Copy, paste, drag and drop, or... |
| V-39444 | Low | The system must explicitly disable copy operations.
| Copy and paste operations are disabled by default; however, by explicitly disabling this feature it will enable audit controls to check that this setting is correct. Copy, paste, drag and drop, or... |
| V-39445 | Low | The system must explicitly disable drag and drop operations.
| Copy and paste operations are disabled by default; however, by explicitly disabling this feature it will enable audit controls to check that this setting is correct. Copy, paste, drag and drop, or... |
| V-39443 | Low | The system must disable tools auto install.
| Tools auto install can initiate an automatic reboot, disabling this option will prevent tools from being installed automatically and prevent automatic machine reboots. |
| V-39505 | Low | The system must control access to VMs through the dvfilter network APIs.
| A VM must be configured explicitly to accept access by the dvfilter network API. This should be performed only for VMs that require the dvfilter network API. An attacker might compromise the VM by... |
| V-39504 | Low | The system must use templates to deploy VMs whenever possible.
| By capturing a hardened base operating system image (with no applications installed) in a template, ensure all virtual machines are created with a known baseline level of security. Then use this... |
| V-39497 | Low | The system must limit informational messages from the VM to the VMX file.
| The configuration file containing these name-value pairs is limited to a size of 1MB. If not limited, VMware tools in the guest OS are capable of sending a large and continuous data stream to the... |
| V-39457 | Low | The unexposed feature keyword isolation.bios.bbs.disable must be initialized to decrease the VMs potential attack vectors. | Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply... |
| V-39456 | Low | The unexposed feature keyword isolation.tools.ghi.autologon.disable must be initialized to decrease the VMs potential attack vectors. | Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply... |
| V-39459 | Low | The unexposed feature keyword isolation.tools.ghi.launchmenu.change must be initialized to decrease the VMs potential attack vectors. | Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply... |
| V-39458 | Low | The unexposed feature keyword isolation.tools.getCreds.disable must be initialized to decrease the VMs potential attack vectors. | Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply... |
| V-39479 | Low | The unexposed feature keyword isolation.tools.ghi.trayicon.disable must be initialized to decrease the VMs potential attack vectors. | Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply... |
| V-39478 | Low | The unexposed feature keyword isolation.tools.trashFolderState.disable must be initialized to decrease the VMs potential attack vectors. | Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply... |
