Sponsors

Tuesday, 28 June 2016

Securing Virtual Machines: Unnecessary Hardware Devices

When virtual machine is created, there are multiple devices that are associated with VM like floppy drive, CD-ROM and few others, but some of these devices are rarely used.

I just created the test VM without any modification below is the result of default device that are getting added.





We can remove these devices safely as they are rarely used but also if required at any point of time, we can add them back temporarily again on the fly. Once the task is done, we can again remove them.

We can consider following devices for removal:

  • Floppy drives
  • Serial ports
  • Parallel ports
  • USB controllers
  • CD-ROM drives (Disconnect at least if not possible to remove due to frequent use of this device)
It is recommended that we should only present the devices that are required to a virtual machines. This approach allows to use resources efficiently and securely.

The reason behind removing such devices is that, unnecessary hardware devices uses interrupts and also operating systems polls these devices which results in consuming CPU cycles. Also few of these devices reserve some amount of memory.

These enabled or connected unnecessary device may pose potential attack channel too.

Any attacker with access to a virtual machine can connect a disconnected hardware device and access sensitive information on the media left in the drives in case of mapping to physical drives, or disconnect a network adapter to isolate the virtual machine from its network, resulting in a denial of service.
Remove any unnecessary hardware devices.
Disable unnecessary virtual devices from within a virtual machine if you cannot remove.

Do check other article in this series on Limit Informational Messages from Virtual Machines to VMX Files

3 comments:

  1. Hi,

    Thank you so much for the post, fully agree with you except for the CD/DVD. It's necessary for the VMWare tools, without CD/DVD the tools can not be upgraded or installed

    ReplyDelete
    Replies
    1. Well as I mentioned when you need CD-ROM you can add on the fly and remove once not needed, also for VMware tools instead of doing manual updates, you can also use update manager.

      Delete
  2. I agree with all but the CD. It is used often enough that there is a bigger risk of screwing up the running VM by adding and removing HW and reconfiguring drives than it is a resource or security risk. All other points are valid and it is a very good refresher. Thanks for sharing.

    ReplyDelete

Popular Posts This Week