The guest operating system that runs in the virtual machine is subject to the same security risks as a physical system. Secure virtual machines as you would secure physical machines.

1

Nonadministrative users in the guest operating system are able to shrink virtual disks. Shrinking a virtual disk reclaims the disk's unused space. However, if you shrink a disk repeatedly, the disk can become unavailable or cause a Denial of Service (DoS). To prevent this, disable the ability to shrink virtual disks.

2

Copy and paste operations between the guest operating system and remote console are disabled by default. For a secure environment, retain the default setting. If you require copy and paste operations, you must enable them using the vSphere Client.

3

You can increase the guest operating system variable memory limit if large amounts of custom information are being stored in the configuration file.

4

You can prevent guests from writing any name-value pairs to the configuration file that are sent to the host. This is appropriate when guest operating systems must be prevented from modifying configuration settings.

5

Users and processes without root or administrator privileges within virtual machines have the capability to connect or disconnect devices, such as network adaptors and CD-ROM drives, as well as the ability to modify device settings. To increase virtual machine security, remove these devices. If you do not want to permanently remove a device, you can prevent a virtual machine user or process from connecting or disconnecting the device from within the guest operating system.

6

All ESXi hosts run a syslog service (vmsyslogd), which logs messages from the VMkernel and other system components to log files.