Any enabled or connected device represents a potential attack channel. Users and processes without privileges on a virtual machine can connect or disconnect hardware devices, such as network adapters and CD-ROM drives. Attackers can use this capability to breach virtual machine security. Removing unnecessary hardware devices can help prevent attacks.

Use the following guidelines to increase virtual machine security.

Ensure that unauthorized devices are not connected and remove any unneeded or unused hardware devices.

Disable unnecessary virtual devices from within a virtual machine. An attacker with access to a virtual machine can connect a disconnected CD-ROM drive and access sensitive information on the media left in the drive, or disconnect a network adapter to isolate the virtual machine from its network, resulting in a denial of service.

Ensure that no device is connected to a virtual machine if it is not required. Serial and parallel ports are rarely used for virtual machines in a datacenter environment, and CD/DVD drives are usually connected only temporarily during software installation.

For less commonly used devices that are not required, either the parameter should not be present or its value must be false. Ensure that the following parameters are either not present or set to false unless the device is required.

Parameter

Value

Device

floppyX.present

false

floppy drives

serialX.present

false

serial ports

parallelX.present

false

parallel ports

usb.present

false

USB controller

ideX:Y.present

false

CD-ROM