8.7.1 Disable VIX messages from the VM

Information

If you do not make use of custom VIX programming in your environment then you should
disable this feature to reduce the potential for vulnerabilities.

*Rationale*

The VIX API is a library for writing scripts and programs to manipulate virtual machines. If
you do not make use of custom VIX programming in your environment, then you should
disable certain features to reduce the potential for vulnerabilities. The ability to send
messages from the VM to the host is one of these features.

Note- Disabling this feature does NOT adversely affect the functioning of VIX operations
that originate outside the guest, so certain VMware and 3rd party solutions that rely upon
this capability should continue to work. This is a deprecated interface. Ensure that any
deprecated interface is turned off for audit purposes.

Solution

To implement the recommended configuration state, run the following PowerCLI
command-# Add the setting to all VMs
Get-VM | New-AdvancedSetting -Name 'isolation.tools.vixMessage.disable' -value $true

Impact-Guest will no longer be able to send messages via VIX API.

Default Value-The prescribed state is not the default state.

See Also

https://workbench.cisecurity.org/files/145

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7

Plugin: VMware

Control ID: 75137c4a619fe3d743be702a246e04c25ed8592e0b0407a81d12c3bd0bb1bec2