Information
By default, remote console sessions can be connected to by more than one user at a time. Permit only one remote console connection to a VM at a time. Other attempts will be rejected until the first connection disconnects.
When multiple sessions are activated, each terminal window gets a notification about the new session. If an administrator in the VM logs in using a VMware remote console during their session, a non-administrator in the VM can connect to the console and observe the administrator's actions. Also, this could result in an administrator losing console access to a VM. For example, if a jump box is being used for an open console session, and the admin loses a connection to that box, the console session remains open. Allowing two console sessions permits debugging via a shared session. For highest security, only one remote console session at a time should be allowed.
Solution
To set this configuration utilize the vSphere interface as follows:
- Select the VM then select Actions followed by Edit Settings
- Click on the VM Options tab then expand Advanced
- Click on EDIT CONFIGURATION
- Click on ADD CONFIGURATION PARAMS then input RemoteDisplay.maxConnections with a value of 1
- Click OK then OK again.
Alternatively, run the following PowerCLI command for VMs that do not specify the setting:
# Add the setting to all VMs
Get-VM | New-AdvancedSetting -Name "RemoteDisplay.maxConnections" -value 1
Run the following PowerCLI command for VMs that specify the setting but have the wrong value for it:
# Add the setting to all VMs
Get-VM | New-AdvancedSetting -Name "RemoteDisplay.maxConnections" -value 1 -Force
Item Details
Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION
References: 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|9.2, CSCv7|14.7
Control ID: 8cd3f99edb613e0e1bb991e33d3d53169152c31ebd09918a2b9f0c14664b9714