| V-64051 | High | The system must not use independent, non-persistent disks. | The security issue with nonpersistent disk mode is that successful attackers, with a simple shutdown or reboot, might undo or remove any traces that they were ever on the machine. To safeguard... |
| V-64049 | High | The system must disable virtual disk erasure. | Shrinking and wiping (erasing) a virtual disk reclaims unused space in it. If there is empty space in the disk, this process reduces the amount of space the virtual disk occupies on the host... |
| V-64047 | High | The system must disable virtual disk shrinking. | Shrinking a virtual disk reclaims unused space in it. If there is empty space in the disk, this process reduces the amount of space the virtual disk occupies on the host drive. Normal users and... |
| V-64053 | Medium | The system must disable HGFS file transfers. | Setting isolation.tools.hgfsServerSet.disable to true disables registration of the guest's HGFS server with the host. APIs that use HGFS to transfer files to and from the guest operating system,... |
| V-64115 | Medium | The system must not send host information to guests. | If enabled, a VM can obtain detailed information about the physical host. The default value for the parameter is FALSE. This setting should not be TRUE unless a particular VM requires this... |
| V-64113 | Medium | The system must prevent unauthorized removal, connection and modification of devices. | In a virtual machine, users and processes without root or administrator privileges can connect or disconnect devices, such as network adaptors and CD-ROM drives, and can modify device settings.... |
| V-64111 | Medium | The system must prevent unauthorized removal, connection and modification of devices. | In a virtual machine, users and processes without root or administrator privileges can connect or disconnect devices, such as network adaptors and CD-ROM drives, and can modify device settings.... |
| V-64099 | Medium | The system must disconnect unauthorized serial devices. | Ensure that no device is connected to a virtual machine if it is not required. For example, floppy, serial and parallel ports are rarely used for virtual machines in a datacenter environment, and... |
| V-64093 | Medium | The system must disconnect unauthorized floppy devices. | Ensure that no device is connected to a virtual machine if it is not required. For example, floppy, serial and parallel ports are rarely used for virtual machines in a datacenter environment, and... |
| V-64097 | Medium | The system must disconnect unauthorized parallel devices. | Ensure that no device is connected to a virtual machine if it is not required. For example, floppy, serial and parallel ports are rarely used for virtual machines in a datacenter environment, and... |
| V-64101 | Medium | The system must disconnect unauthorized USB devices. | Ensure that no device is connected to a virtual machine if it is not required. For example, floppy, serial and parallel ports are rarely used for virtual machines in a datacenter environment, and... |
| V-64103 | Medium | The system must limit sharing of console connections. | By default, remote console sessions can be connected to by more than one user at a time. When multiple sessions are activated, each terminal window gets a notification about the new session. If... |
| V-64123 | Medium | The system must minimize use of the VM console. | The VM console enables a connection to the console of a virtual machine, in effect seeing what a monitor on a physical server would show. The VM console also provides power management and... |
| V-64105 | Medium | The system must disable console access through the VNC protocol. | The VM console enables you to connect to the console of a virtual machine, in effect seeing what a monitor on a physical server would show. This console is also available via the Virtual Network... |
| V-64107 | Low | The system must disable tools auto install. | Tools auto install can initiate an automatic reboot, disabling this option will prevent tools from being installed automatically and prevent automatic machine reboots. |
| V-64071 | Low | The unexposed feature keyword isolation.tools.trashFolderState.disable must be set. | Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion.... |
| V-64117 | Low | The system must disable shared salt values. | When salting is enabled (Mem.ShareForceSalting=1 or 2) in order to share a page between two virtual machines both salt and the content of the page must be same. A salt value is a configurable VMX... |
| V-64119 | Low | The system must control access to VMs through the dvfilter network APIs. | An attacker might compromise a VM by making use the dvFilter API. Configure only those VMs that need this access to use the API. |
| V-64079 | Low | The unexposed feature keyword isolation.tools.unity.push.update.disable must be set. | Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion.... |
| V-64059 | Low | The unexposed feature keyword isolation.tools.getCreds.disable must be set. | Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion.... |
| V-64055 | Low | The unexposed feature keyword isolation.tools.ghi.autologon.disable must be set. | Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion.... |
| V-64057 | Low | The unexposed feature keyword isolation.bios.bbs.disable must be set. | Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion.... |
| V-64073 | Low | The unexposed feature keyword isolation.tools.ghi.trayicon.disable must be set. | Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion.... |
| V-64075 | Low | The unexposed feature keyword isolation.tools.unity.disable must be set. | Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion.... |
| V-64091 | Low | The system must disable VIX messages from the VM. | The VIX API is a library for writing scripts and programs to manipulate virtual machines. If you do not make use of custom VIX programming in your environment, then you should consider disabling... |
| V-64095 | Low | The system must disconnect unauthorized CD/DVD devices. | Ensure that no device is connected to a virtual machine if it is not required. For example, floppy, serial and parallel ports are rarely used for virtual machines in a datacenter environment, and... |
| V-64077 | Low | The unexposed feature keyword isolation.tools.unityInterlockOperation.disable must be set. | Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion.... |
| V-63151 | Low | The system must explicitly disable copy operations. | Copy and paste operations are disabled by default; however, by explicitly disabling this feature it will enable audit controls to check that this setting is correct. Copy, paste, drag and drop, or... |
| V-64067 | Low | The unexposed feature keyword isolation.ghi.host.shellAction.disable must be set. | Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion.... |
| V-64065 | Low | The unexposed feature keyword isolation.tools.ghi.protocolhandler.info.disable must be set. | Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion.... |
| V-64063 | Low | The unexposed feature keyword isolation.tools.memSchedFakeSampleStats.disable must be set. | Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion.... |
| V-64061 | Low | The unexposed feature keyword isolation.tools.ghi.launchmenu.change must be set. | Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion.... |
| V-64069 | Low | The unexposed feature keyword isolation.tools.dispTopoRequest.disable must be set. | Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion.... |
| V-64109 | Low | The system must limit informational messages from the VM to the VMX file. | The configuration file containing these name-value pairs is limited to a size of 1MB. If not limited, VMware tools in the guest OS are capable of sending a large and continuous data stream to the... |
| V-64045 | Low | The system must explicitly disable paste operations. | Copy and paste operations are disabled by default; however, by explicitly disabling this feature it will enable audit controls to check that this setting is correct. Copy, paste, drag and drop, or... |
| V-64041 | Low | The system must explicitly disable drag and drop operations. | Copy and paste operations are disabled by default; however, by explicitly disabling this feature it will enable audit controls to check that this setting is correct. Copy, paste, drag and drop, or... |
| V-64121 | Low | The system must use templates to deploy VMs whenever possible. | By capturing a hardened base operating system image (with no applications installed) in a template, ensure all virtual machines are created with a known baseline level of security. Then use this... |
| V-64043 | Low | The system must explicitly disable any GUI functionality for copy/paste operations. | Copy and paste operations are disabled by default; however, by explicitly disabling this feature it will enable audit controls to check that this setting is correct. Copy, paste, drag and drop, or... |
| V-64089 | Low | The unexposed feature keyword isolation.tools.guestDnDVersionSet.disable must be set. | Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion.... |
| V-64081 | Low | The unexposed feature keyword isolation.tools.unity.taskbar.disable must be set. | Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion.... |
| V-64083 | Low | The unexposed feature keyword isolation.tools.unityActive.disable must be set. | Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion.... |
| V-64085 | Low | The unexposed feature keyword isolation.tools.unity.windowContents.disable must be set. | Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion.... |
| V-64087 | Low | The unexposed feature keyword isolation.tools.vmxDnDVersionGet.disable must be set. | Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion.... |
