
Control VM data access
VMware provides some functions to permit data access inside of the VM:
- HGFS: This is used to transfer files between the host and the VMs. Note that this capability is actually only leveraged on Workstation/Player/Fusion, and it's not implemented in ESXi.
- Copy and paste between the guest OS and remote console: By default, this feature is disabled, as recommended for a secure environment. If copy and paste is enabled and the VM has VMware Tools installed, you can copy and paste between the guest operating system and the remote console.
You can control those features by using the vSphere Web Client: select a VM, right-click on the VM, and click on Edit Settings. In the VM Options tab, click on Advanced, and click on Edit Configuration.
At this point, check the specific rows (if they exist) or create new rows. The following table summarizes some possible parameters:
VM advanced parameter Recommended value Result
isolation.tools.hgfsServerSet.disable TRUE Disable HGFS file transfer
isolation.tools.copy.disable TRUE Disable copy operations
isolation.tools.paste.disable TRUE Disable paste operations
isolation.tools.setGUIOptions.enable FALSE Disable VMware Tools options from the guest
If you make changes to the preceding configuration parameters, restart the VM to load the changes.
The vSphere 6.5 Security Guide (https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.security.doc/GUID-60E83710-8295-41A2-9C9D-83DEBB6872C2.html) reports other settings that are not exposed in vSphere, but could cause vulnerabilities, as follows:
VM advanced parameter Recommended value
isolation.tools.unity.push.update.disable TRUE
isolation.tools.ghi.launchmenu.change TRUE
isolation.tools.memSchedFakeSampleStats.disable TRUE
isolation.tools.getCreds.disable TRUE
isolation.tools.ghi.autologon.disable TRUE
isolation.bios.bbs.disable TRUE