Information
Ensure that the MAC Address Change policy is set to reject.
*Rationale*
If the virtual machine operating system changes the MAC address, it can send frames with
an impersonated source MAC address at any time. This allows it to stage malicious attacks
on the devices in a network by impersonating a network adaptor authorized by the
receiving network. This will prevent VMs from changing their effective MAC address. It will
affect applications that require this functionality. An example of an application like this is
Microsoft Clustering, which requires systems to effectively share a MAC address. This will
also affect how a layer 2 bridge will operate. This will also affect applications that require a
specific MAC address for licensing. An exception should be made for the dvPortgroups that
these applications are connected to.
Solution
1. Configure by using the vSphere Client to connect to the vCenter Server and logging in as an administrator.
2. Go to 'Home > Inventory > Networking'.
3. Select each dvPortgroup connected to active VMs requiring securing.
4. Go to tab 'Summary > Edit Settings > Policies > Security'.
5. Set 'Mac Address Changes' = 'Reject'
Impact-This will prevent VMs from changing their effective MAC address. It will affect applications
that require this functionality. An example of an application like this is Microsoft Clustering,
which requires systems to effectively share a MAC address. This will also affect how a layer
2 bridge will operate. This will also affect applications that require a specific MAC address
for licensing. An exception should be made for the dvPortgroups that these applications are
connected to.