7.18 (L1) Virtual machines must deactivate console copy operations

Information

Deactivating console copy operations is critical for preventing data transfer between the virtual machine and the local client, irrespective of the access method, whether via Web Console, VMRC, or others. The parameter governing this behavior is isolation.tools.copy.disable with a recommended setting of TRUE or Undefined.

Deactivating console copy operations minimizes the risk of unauthorized data access or leakage, enforcing a higher level of data security and integrity across the virtual environment.

Solution

To set this configuration utilize the vSphere interface as follows:

- Select the VM then select Actions followed by Edit Settings
- Click on the VM Options tab then expand Advanced
- Click on EDIT CONFIGURATION
- Click on ADD CONFIGURATION PARAMS then input isolation.tools.copy.disable with a value of TRUE
- Click OK then OK again.

To explicitly disable VM console copy operations, run the following PowerCLI command:

# Add the setting to all VMs
Get-VM | New-AdvancedSetting -Name "isolation.tools.copy.disable" -value $true

Impact:

There is no identified functional impact; however, this restriction enhances data security by minimizing unauthorized data transfer channels.

See Also

https://workbench.cisecurity.org/benchmarks/19200

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|9.2

Plugin: VMware

Control ID: b98e91a53f569836680290e254bfee5e2cad4abf8d9d07e5b44a5925e45773a6