Disallowing multiple vm console sessions

Currently I’m involved in a high-secure virtual infrastructure design and we are required to reduce the number of entry points to the virtual infrastructure. One of the requirements is to allow only a single session to the virtual machine console. Due to the increasing awareness \ demand of security in virtual infrastructure more organizations might want to apply this security setting.

1. Turn of the virtual machine.
2. Open Configuration parameters of the VM to edit the advanced configuration settings
3. Add Remote.Display.maxConnections with a value of 1
4. Power on virtual machine

Update: Arne Fokkema created a Power-CLI function to automate configuring this setting throughout your virtual infrastructure. You can find the power-cli function on ICT-freak.nl.

Frank Denneman

Follow me on Twitter, visit the facebook fanpage of FrankDenneman.nl, or add me to your Linkedin network

11 Responses

  1. Ray says:

    Why not setting it to "0" and dictate that remote connections are only allowed through RDP?

  2. Hugo Strydom says:


    This is by default in v4.1 disabled. You can look at KB : 1026437. Thus no need to specify it anymore.

  3. Elvedin Trnjanin says:

    Additional security information can be found in the "VMware vSphere 4.0 Security Hardening Guide" ( http://www.vmware.com/resources/techresources/10109 ) and should be a good read for everyone

  4. Greg says:

    So the obvious question is how do I enabled this for each VM, a cluster, dc etc. Looks like Arne Fokkema is frist watch tonight http://ict-freak.nl/2010/11/30/powercli-re-disallowing-multiple-vm-console-sessions/ - nice work all

  5. LucD says:

    My Security – Hardening – Part 1 – Virtual Machines post shows one way to apply these recommendations.

  6. Hi Frank,

    First off great blog, I always have to set aside some time to re-read your longer posts to get and understand all the information.

    A correction for this post, the advanced setting is "RemoteDisplay.maxConnections"
    You have a dot between Remote and Display which doesn't work on my 4.1 environment and might cause me issues when I redo my VCAP-DCA exam.

  7. Kiwi says:

    Thanks Alastair, without the point between "Remote" and "Display" it also works in our 4.1 environment.

  8. Drew says:

    is there a way to kick a user out of a console session if he has left it open?

  1. November 30, 2010

    [...] Frank Denneman posted today about disallowing multiple VM console session in a high-secure virtual infrastructure design: http://frankdenneman.nl/2010/11/disallowing-multiple-vm-console-sessions [...]

  2. December 17, 2010

    [...] saw a couple of good articles from Frank Denneman recently. One was on how to disallow multiple VM console sessions; the second was discussing disabling the balloon driver and why it’s generally not a good [...]