8.3.2 Ensure use of the VM console is limited

Information

The VM console enables you to connect to the console of a VM, in effect seeing what a monitor on a physical server would show. The VM console also provides power management and removable device connectivity controls. Instead of the VM console, use native remote management services, such as terminal services and ssh, to interact with VMs. Grant access to the VM console only when needed, and use custom roles to provide fine-grained permissions for those people who do need access. By default, the vCenter roles 'Virtual Machine Power User' and 'Virtual Machine Administrator' have the 'Virtual Machine.Interaction.Console Interaction' privilege.

Rationale:

The VM console could be misused to eavesdrop on VM activity, cause VM outages, and negatively affect the performance of the console, especially if many VM console sessions are open simultaneously.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To properly limit use of the VM console, perform the following steps:

From the vSphere Client, navigate to vCenter --> Administration --> Roles.

Create a custom role and choose Edit to enable only the minimum needed effective privileges.

Next, select an object in the inventory.

Click the Permissions tab to view the user and role pair assignments for that object.

Remove any default 'Admin' or 'Power User' roles, and assign the new custom role as needed.

See Also

https://workbench.cisecurity.org/benchmarks/8020

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

References: 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|16.1

Plugin: VMware

Control ID: eeb7b33564e8da46541a1a2bbaafac3503c9ea0846575e6be30ba1f501f28f0b