8.3.2 (L1) Ensure use of the VM console is limited

Information

The VM console enables you to connect to the console of a VM, in effect seeing what a monitor on a physical server would show. The VM console also provides power management and removable device connectivity controls. Instead of the VM console, use native remote management services, such as terminal services and ssh, to interact with VMs. Grant access to the VM console only when needed, and use custom roles to provide fine-grained permissions for those people who do need access. By default, the vCenter roles "Virtual Machine Power User" and "Virtual Machine Administrator" have the "Virtual Machine.Interaction.Console Interaction" privilege.

The VM console could be misused to eavesdrop on VM activity, cause VM outages, and negatively affect the performance of the console, especially if many VM console sessions are open simultaneously.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To properly limit use of the VM console, perform the following steps:

- From within vCenter select Menu go to Administration then Roles
- Create a custom role then choose the pencil icon to edit the new role.
- Give the appropriate permissions.
- View the usage and privileges as required.
- Remove any default Admin or Power User roles then assign the new custom roles as needed.

See Also

https://workbench.cisecurity.org/benchmarks/15334

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

References: 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|16.1

Plugin: VMware

Control ID: 90e34baa98afdac3ee29dc4c1b0eccdf159a33c7bdac19c11240200754cd627b