VMCH-70-000002 - Drag and drop operations must be disabled on the virtual machine (VM).

Information

Copy and paste operations are disabled by default; however, explicitly disabling this feature will enable audit controls to verify this setting is correct. Copy, paste, drag and drop, or GUI copy/paste operations between the guest operating system and the remote console could provide the means for an attacker to compromise the VM.

Solution

From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration.

Verify the 'isolation.tools.dnd.disable' value is set to 'true'.

If the setting does not exist, add the Name and Value setting at the bottom of screen.

Note: The VM must be powered off to configure the advanced settings through the vSphere Client. Therefore, it is recommended to configure these settings with PowerCLI as this can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted.

or

From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the provided commands as noted below.

If the setting does not exist, run:

Get-VM 'VM Name' | New-AdvancedSetting -Name isolation.tools.dnd.disable -Value true

If the setting exists, run:

Get-VM 'VM Name' | Get-AdvancedSetting -Name isolation.tools.dnd.disable | Set-AdvancedSetting -Value true

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_7-0_Y24M01_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|III, CCI|CCI-000366, Rule-ID|SV-256451r886396_rule, STIG-ID|VMCH-70-000002, Vuln-ID|V-256451

Plugin: VMware

Control ID: 0cfad3768d7bea4f5cb85abb4cefd1fd987cf390a014ddba2cd346edcdb9cf7a