Currently I’m involved in a high-secure virtual infrastructure design and we are required to reduce the number of entry points to the virtual infrastructure. One of the requirements is to allow only a single session to the virtual machine console. Due to the increasing awareness \ demand of security in virtual infrastructure more organizations might want to apply this security setting.
1. Turn of the virtual machine.
2. Open Configuration parameters of the VM to edit the advanced configuration settings
3. Add Remote.Display.maxConnections with a value of 1
4. Power on virtual machine
Update: Arne Fokkema created a Power-CLI function to automate configuring this setting throughout your virtual infrastructure. You can find the power-cli function on ICT-freak.nl.
Why not setting it to “0” and dictate that remote connections are only allowed through RDP?
You might like this too http://www.boche.net/blog/index.php/2010/06/23/disable-copy-and-paste-for-a-vm/
@Jason
This is by default in v4.1 disabled. You can look at KB : 1026437. Thus no need to specify it anymore.
Additional security information can be found in the “VMware vSphere 4.0 Security Hardening Guide” ( http://www.vmware.com/resources/techresources/10109 ) and should be a good read for everyone
So the obvious question is how do I enabled this for each VM, a cluster, dc etc. Looks like Arne Fokkema is frist watch tonight http://ict-freak.nl/2010/11/30/powercli-re-disallowing-multiple-vm-console-sessions/ – nice work all
My Security – Hardening – Part 1 – Virtual Machines post shows one way to apply these recommendations.
Hi Frank,
First off great blog, I always have to set aside some time to re-read your longer posts to get and understand all the information.
A correction for this post, the advanced setting is “RemoteDisplay.maxConnections”
You have a dot between Remote and Display which doesn’t work on my 4.1 environment and might cause me issues when I redo my VCAP-DCA exam.
Thanks Alastair, without the point between “Remote” and “Display” it also works in our 4.1 environment.
is there a way to kick a user out of a console session if he has left it open?