September 2012
Table Of Contents
- Installing and Configuring VMware Tools
- Contents
- About Installing and Configuring VMware Tools
- Components of VMware Tools
- Installing and Upgrading VMware Tools
- Installing VMware Tools
- Upgrading VMware Tools
- Manually Install or Upgrade VMware Tools in a Windows Virtual Machine
- Automate the Installation of VMware Tools in a Windows Virtual Machine
- Manually Install or Upgrade VMware Tools in a Linux Virtual Machine
- Manually Install or Upgrade VMware Tools in a Solaris Virtual Machine
- Manually Install or Upgrade VMware Tools in a FreeBSD Virtual Machine
- Manually Install or Upgrade VMware Tools in a NetWare Virtual Machine
- Manually Install or Upgrade VMware Tools in a Mac OS X Virtual Machine
- Repairing, Changing, and Uninstalling VMware Tools Components
- Using the VMware Tools Configuration Utility
- Using Other Methods to Configure VMware Tools
- Security Considerations for Configuring VMware Tools
- Index
Threats Associated with Unprivileged User Accounts
Disk shrinking feature
Shrinking a virtual disk reclaims unused disk space. Users and processes
without root or administrator privileges can invoke this procedure. Because
the disk-shrinking process can take considerable time to complete, invoking
the disk-shrinking procedure repeatedly can cause a denial of service. The
virtual disk is unavailable during the shrinking process. Use the
following .vmx settings to disable disk shrinking:
isolation.tools.diskWiper.disable = "TRUE"
isolation.tools.diskShrink.disable = "TRUE"
Copy and paste feature
By default, the ability to copy and paste text, graphics, and files is disabled, as
is the ability to drag and drop files. When this feature is enabled, you can copy
and paste rich text and, depending on the VMware product, graphics and files
from your clipboard to the guest operating system in a virtual machine. That
is, as soon as the console window of a virtual machine gains focus,
nonprivileged users and processes running in the virtual machine can access
the clipboard on the computer where the console window is running. To avoid
risks associated with this feature, retain the following .vmx settings, which
disable copying and pasting:
isolation.tools.copy.disable = "TRUE"
isolation.tools.paste.disable = "TRUE"
Threats Associated with Virtual Devices
Connecting and
modifying devices
By default, the ability to connect and disconnect devices is disabled. When this
feature is enabled, users and processes without root or administrator privileges
can connect devices such as network adapters and CD-ROM drives, and they
can modify device settings. That is, a user can connect a disconnected CD-ROM
drive and access sensitive information on the media left in the drive. A user
can also disconnect a network adapter to isolate the virtual machine from its
network, which is a denial of service. To avoid risks associated with this feature,
retain the following .vmx settings, which disable the ability to connect and
disconnect devices or to modify device settings:
isolation.device.connectable.disable = "TRUE"
isolation.device.edit.disable = "TRUE"
Virtual Machine
Communication
Interface (VMCI) for ESXi
5.0 and Earlier
This setting applies to ESXi 5.0 and earlier virtual machines. It does not apply
to ESXi 5.1 and later virtual machines.
If VMCI is not restricted, a virtual machine can detect and be detected by all
others with the same option enabled within the same host. Custom-built
software that uses this interface might have unexpected vulnerabilities that
lead to an exploit. Also, a virtual machine could detect how many other virtual
machines are within the same ESX/ESXi system by registering the virtual
machine. This information could be used for a malicious objective. The virtual
machine can be exposed to others within the system as long as at least one
program is connected to the VMCI socket interface. Use the following .vmx
setting to restrict VMCI:
vmci0.unrestricted = "FALSE"
Installing and Configuring VMware Tools
46 VMware, Inc.