8.2.5 Disconnect unauthorized devices - USB Devices

Information

Any enabled or connected device represents a potential attack channel. Users and
processes without privileges on a virtual machine can connect or disconnect hardware
devices, such as network adapters and CD-ROM drives. Attackers can use this capability to
breach virtual machine security. Removing unnecessary hardware devices can help prevent
attacks.

*Rationale*

Besides disabling unnecessary virtual devices from within the virtual machine, you should
ensure that no device is connected to a virtual machine if it is not required to be there. For
example, serial and parallel ports are rarely used for virtual machines in a datacenter
environment, and CD/DVD drives are usually connected only temporarily during software
installation. For less commonly used devices that are not required, either the parameter
should not be present or its value must be FALSE.
NOTE- The parameters listed are not sufficient to ensure that a device is usable; other
parameters are required to indicate specifically how each device is instantiated. Any
enabled or connected device represents another potential attack channel.

http://pubs.vmware.com/vsphere-51/topic/com.vmware.vsphere.security.doc/GUID-822B2ED3-D8D2-4F57-8335-CA46E915A729.html

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

To implement the recommended configuration state, run the following PowerCLI
command-# Remove all USB Devices attached to VMs
Get-VM | Get-USBDevice | Remove-USBDevice

Impact-Virtual machine will need to be powered off to reverse change if any of these devices are
needed at a later time.

Default Value-The prescribed state is not the default state.

See Also

https://workbench.cisecurity.org/files/902

Item Details

Category: MEDIA PROTECTION

References: 800-53|MP-7

Plugin: VMware

Control ID: 26274ea3fce2e97f88e34a3fc9bfd484302c62d399a3881faac261d938d7871d