Control VM device connections

As described previously, any device can represent a potential attack channel, and a good practice is to remove or disable unnecessary devices.

Using VMware Tools, it's possible to connect or disconnect devices, potentially causing a DoS, but this feature is disabled by default. For more information, see the vSphere 6.5 Security Guide (https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.security.doc/GUID-F88A5FED-552B-44F9-A168-C62D9306DBD6.html).

Note that VMware provides some devices that are hot-pluggable (such as the virtual NIC). In this case, users and processes with local guest OS privileges (root or administrator) can disconnect those types of devices from the OS. For more information, see KB 1012225 (https://kb.vmware.com/s/article/1012225)—Disabling the HotAdd/HotPlug capability in ESXi 6.x, 5.x and ESXi/ESX 4.x VMs.

The following table summarizes some parameters for controlling the VM device connections:

    
          
VM advanced parameter           Recommended value           Result
        
          
isolation.device.connectable.disable           TRUE           Disable the connection of devices
        
          
isolation.device.edit.disable           TRUE           Disable copy operations
        
          
devices.hotplug            FALSE           Disable device hotplug