8.7.2 (L2) Ensure host information is not sent to guests

Information

Configure VMware Tools to disable host information from being sent to guests unless a particular VM requires this information for performance monitoring purposes.

By enabling a VM to get detailed information about the physical host, an adversary could potentially use this information to inform further attacks on the host.

Solution

To set this configuration utilize the vSphere interface as follows:

- Select the VM then select Actions followed by Edit Settings
- Click on the VM Options tab then expand Advanced
- Click on EDIT CONFIGURATION
- Click on ADD CONFIGURATION PARAMS then input tools.guestlib.enableHostInfo with a value of FALSE
- Click OK then OK again.

To prevent host information from being sent to guests, run the following PowerCLI command:

# Add the setting to all VMs
Get-VM | New-AdvancedSetting -Name "tools.guestlib.enableHostInfo" -value $false

See Also

https://workbench.cisecurity.org/benchmarks/15334

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

References: 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|13.3

Plugin: VMware

Control ID: b5fe708575e81fdf882d5ec76be42d5731b4ec3ceb6b52ac16f6d03cadf28d4e