VM Hardening Guide

1. Overview
2. Synopsis
3. Harden Network Devices
4. Harden CD-ROM Device
5. Harden Floppy Device
6. Disable USB Support
7. Disable Sound Support
8. Restrict VMware Tools

Overview

Since the master VM and all its clones are purposefully designed to run malware, it's a good idea to harden the master VM as much as possible. The following are a list of additional directives you can include within any VMware virtual machine configuration file (.vmx) or (.cfg) (e.g., /vm/master/master.vmx).

Unfortunately, there's always a trade-off between security and usability. Adding every possible pro-security directive may leave your VM in an unusable state. As such, this list specifically allows:

• The Windows XP SP2 OS to properly boot.
• VMware Tools to only sync time with the host system.

If you have further recommendations on how to improve this list, please feel free to provide us with your suggestions.

Synopsis

1. Be sure the master VM is completely unregistered on the host system. Here is an example of how you can do this:

# vmware-cmd -s unregister /vm/master/master.vmx

2. Then, edit the master VM configuration with your editor of choice. For example:

# vi /vm/master/master.vmx

3. Add the additional directives, as stated below.

4. Once you've made these changes, re-register your master VM and try powering it on to verify it still properly works. For example:

# vmware-cmd -s register /vm/master/master.vmx
# vmware-cmd /vm/master/master.vmx start

Harden Network Devices

• Disable network boot across all Ethernet interfaces. (Link)

  vlance.noOprom = "TRUE"
  vmxnet.noOprom = "TRUE" 
  

For each Ethernet device defined in your VM's configuration file (i.e., ethernet0, ethernet1), you should include the following directives:

• Prevent the VM from using a MAC address other than the initial MAC address. (Link)

  ethernet0.downWhenAddrMismatch = "TRUE"
  

• Prevent the VM from sending packets using an impersonated source MAC address. (Link)

  ethernet0.noForgedSrcAddr = "TRUE"
  

• Disable promiscuous mode for the VM's Ethernet interface. (Link)

  ethernet0.noPromisc = "TRUE"
  

• Disable the VM's Ethernet interface when a MAC address conflict occurs. (Link)

  ethernet0.ignoreMACAddressConflict = "FALSE"
  

• Make sure the VM's Ethernet MAC address stays them same upon resume. (Link)

  ethernet0.reassignMAConResume = "FALSE"
  

• Prevent any process running inside the VM (including malware) from disconnecting/reconnecting the VM's Ethernet device. (Link)

  ethernet0.allowGuestConnectionControl = "FALSE"
  

Harden CD-ROM Device

• Prevent any process running inside the VM (including malware) from disconnecting/reconnecting the VM's CD-ROM device. (Link)

  ide1:0.allowGuestConnectionControl = "FALSE"
  

Harden Floppy Device

• Prevent any process running inside the VM (including malware) from disconnecting/reconnecting the VM's floppy device. (Link)

  floppy0.allowGuestConnectionControl = "FALSE"
  

Disable USB Support

• Disable all USB functionality within the VM.

  usb.present = "FALSE"
  

Disable Sound Support

• Disable all audio support within the VM.

  sound.present = "FALSE"
  

Restrict VMware Tools

• These next set of directives disable all VMware Tools functionality except time synchronization. The commented out directives remain listed, for the sake of completeness.

  isolation.tools.getPtrLocation.disable = "TRUE"
  isolation.tools.setPtrLocation.disable = "TRUE"
  #isolation.tools.getVersion.disable = "TRUE"
  isolation.tools.setVersion.disable = "TRUE"
  
  monitor_control.restrict_backdoor = "TRUE"
  
  #monitor_control.disable_directexec = "TRUE"
  #monitor_control.disable_chksimd = "TRUE"
  #monitor_control.disable_ntreloc = "TRUE"
  #monitor_control.disable_selfmod = "TRUE"
  #monitor_control.disable_reloc = "TRUE"
  #monitor_control.disable_btinout = "TRUE"
  #monitor_control.disable_btmemspace = "TRUE"
  #monitor_control.disable_btpriv = "TRUE"
  #monitor_control.disable_btseg = "TRUE"
  
  # Disable VMware Tools Capabilities
  isolation.tools.dnd.disable = "TRUE"
  isolation.tools.hgfs.disable = "TRUE"
  isolation.tools.copy.disable = "TRUE"
  isolation.tools.paste.disable = "TRUE"
  isolation.tools.Int13.disable = "TRUE"
  isolation.tools.rsvd0.disable = "TRUE"
  isolation.tools.rsvd1.disable = "TRUE"
  isolation.tools.rsvd2.disable = "TRUE"
  #isolation.tools.ACPI.disable = "TRUE"
  isolation.tools.log.disable = "TRUE"
  isolation.tools.getMhz.disable = "TRUE"
  isolation.tools.apmFunction.disable = "TRUE"
  isolation.tools.getDiskGeo.disable = "TRUE"
  isolation.tools.getGuiOptions.disable = "TRUE"
  isolation.tools.setGuiOptions.disable = "TRUE"
  isolation.tools.getScreenSize.disable = "TRUE"
  isolation.tools.osNotFound.disable = "TRUE"
  isolation.tools.getUUId.disable = "TRUE"
  isolation.tools.getMemSize.disable = "TRUE"
  isolation.tools.hostCopy.disable = "TRUE"
  isolation.tools.getOS2IntCursor.disable = "TRUE"
  #isolation.tools.getTime.disable = "TRUE"
  isolation.tools.stopCatchup.disable = "TRUE"
  isolation.tools.initScsiIoprom.disable = "TRUE"
  #isolation.tools.message.disable = "TRUE"
  isolation.tools.diskWiper.disable = "TRUE"
  isolation.tools.diskShrink.disable = "TRUE"
  isolation.tools.removeImage.disable = "TRUE"
  isolation.tools.getMachineId.disable = "TRUE"
  isolation.tools.haltReboot.disable = "TRUE"
  isolation.tools.haltRebootStatus.disable = "TRUE"
  isolation.tools.updateTools.disable = "TRUE"
  isolation.tools.autoConnect.disable = "TRUE"
  isolation.tools.getInfo.disable = "TRUE"
  isolation.tools.setInfo.disable = "TRUE"
  isolation.tools.unifiedLoop.disable = "TRUE"
  isolation.tools.setOption.disable = "TRUE"
  isolation.tools.osStateChangeStatus.disable = "TRUE"
  isolation.tools.osStateChange.disable = "TRUE"
  isolation.tools.vmdbpipeSend.disable = "TRUE"
  

Additional Resources

• http://sanbarrow.com/vmx.html
• http://sanbarrow.com/vmx/vmx-advanced.html
• http://www.vmware.com/overview/security/
• http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf