6 Ways to Secure Virtual Machines

6 Ways to Secure Virtual Machines

6 Ways to Secure Virtual Machines

 

In this blog, post I will show you 6 Ways to Secure Virtual Machines The guest operating system that runs within the virtual machine is subject to identical security risks as a physical system. Secure virtual machines as you’d secure physical machines.

1. Prevent Virtual Disk Shrinking

Non-administrative users within the guest operating system are able to shrink virtual disks. Shrinking a virtual disk reclaims the disk’s unused space. However, if you shrink a disk repeatedly, the disk will become unavailable or cause a Denial of Service (DoS). to forestall this, disable the flexibility to shrink
virtual disks.

How to Prevent Virtual Disk Shrinking

  • Turn off the virtual machine.
  • Log in to the vCenter Server system using the vSphere Client.
  • Select the virtual machine in the inventory.
  • On the Summary tab, click Edit Settings.
  • Select Options > Advanced > General and click Configuration Parameters.
  • Add or edit the following parameters.
    Name Value
    isolation.tools.diskWiper.disable TRUE
    isolation.tools.diskShrink.disable TRUE
  • Click OK to close.

How to Open or Block Firewall Ports on a VMware 6.5

2. Disable Copy and Paste Operations Between Guest Operating System and Remote Console

Copy and paste operations between the guest operating system and remote console are disabled by default. For a secure environment, retain the default setting. If you require copy and paste operations, you must enable them using the vSphere Client.

How to Check these steps to see if the copy/paste is enabled or disabled.

  • In the vSphere Client, select the virtual machine and On the Summary tab, click Edit Settings.
  • Select Options > Advanced > General and click Configuration Parameters.
  • Ensure that the following values are in the Name and Value columns, or click Add Row to add them.
    Name Value
    isolation.tools.copy.disable TRUE
    isolation.tools.paste.disable TRUE
  • These options override any settings made in the guest operating system’s VMware Tools control panel.
  • If you made changes to the configuration parameters, restart the virtual machine.

3. Modify Guest Operating System Variable Memory Limit

You can increase the guest operating system variable memory limit if a huge amount of customized information is stored in the configuration files.

How to Modify Guest Operating System Variable Memory Limit

  • In the vSphere Client, select the VM, On the Summary tab, click Edit Settings, Select Options > Advanced > General and click Configuration Parameters.
  • If the size limit attribute is not present, you can add it using these steps:

a.  click Add Row.
b.  In the Name column, type tools.setInfo.sizeLimit.
c.  In the Value column, type Number of Bytes.

  • If the size limit attribute exists, modify it to reflect the appropriate limits
  • Click OK to close.

4. Prevent the Guest Operating System Processes from Sending Configuration Messages to the Host

You can stop guests from writing any name-value pairs to the configuration file that are sent to the host. this is often applicable when guest operating systems should be prevented from modifying configuration settings.

How to Prevent the Guest Operating System Processes from Sending Configuration

  • On the Summary tab, click Edit Settings of the VM.
  • Click Options > Advanced > General, and click Configuration Parameters.
  • Click Add Row and type the following values in the Name and Value columns.

a. In the Name column: isolation.tools.setinfo.disable
b. In the Value column: true

  • Click OK to close.

How To Enable and Disable SSH on VMware vSphere 6.5

5. Prevent a Virtual Machine User or Process from Disconnecting Devices

Users and processes without root or administrator privileges within virtual machines have the capability to connect or disconnect devices, such as network adaptors and CD-ROM drives, as well as the ability to modify device settings. To increase virtual machine security, remove these devices. If you do not want to permanently remove a device, you can prevent a virtual machine user or process from connecting or disconnecting the device from within the guest operating system.

How to Prevent a Virtual Machine User or Process from Disconnecting Devices

  • Select the virtual machine.
  • On the Summary tab, click Edit Settings, Select Options > Advanced > General and click Configuration Parameters.
  • Add or edit the following parameters:

a. isolation.device.connectable.disable = true
b. isolation.device.edit.disable = true

  • These options override any settings made in the guest operating system’s VMware Tools control panel.
  • Click OK to close.
  • If you made changes to the configuration, restart VM.

6. Configure Syslog on ESXi Hosts

All ESXi hosts run a syslog service (vmsyslogd), which logs messages from the VMkernel and other system components to log files.

You can use the vSphere Client or the esxcli system syslog vCLI command to configure the syslog service.

However, In this article, I will show you how to configure the syslog service from VSphere Client.

How to configure the syslog service from VSphere Client.

  • Select the host.
  • Go to Configuration tab.
  • Click Advanced Settings.
  • Select Syslog in the tree control.
  • To set up logging globally, click global and make changes to the fields on the right.

a. Syslog.global.defaultRotate

It Sets the maximum number of archives to keep. You can set this number
globally and for individual sub loggers.

b. Syslog.global.defaultSize

It Sets the default size of the log, in KB, before the system rotates logs. You
can set this number globally and for individual sub loggers.

c. Syslog.global.LogDir

It’s the directory where logs are stored. The directory can be located on mounted NFS or VMFS volumes.

d. Syslog.global.logDirUnique

Selecting this option creates a subdirectory with the name of the ESXi host
under the directory specified by Syslog.global.LogDir. A unique directory
is useful if the same NFS directory is used by multiple ESXi hosts.

e. Syslog.global.LogHost

Remote host to which syslog messages are forwarded and port on which
the remote host receives syslog messages. You can include the protocol
and the port here.

IMP

To overwrite the default log size and log rotation for any of the logs.
a. Click loggers.
b. Click the name of the log you that want to customize and enter the number of rotations and log size you want and then click Ok.

 

 

Search








Bitnami