VMCH-06-000001 - The system must explicitly disable copy operations.

Information

Copy and paste operations are disabled by default; however, by explicitly disabling this feature it will enable audit controls to check that this setting is correct. Copy, paste, drag and drop, or GUI copy/paste operations between the guest OS and the remote console could provide the means for an attacker to compromise the VM.

Solution

From the vSphere Client select the Virtual Machine right click and go to Edit Settings >> VM Options Tab >> Advanced >> Configuration Parameters.

Find the isolation.tools.copy.disable value and set it to true. If the setting does not exist click 'Add Row' to add the setting to the virtual machine.

Note: The VM must be powered off to configure the advanced settings through the vSphere Client so it is recommended to configure these settings with PowerCLI as it can be done while the VM is powered on.

or

From a PowerCLI command prompt while connected to the ESXi host or vCenter server run the following command:

If the setting does not exist run:

Get-VM 'VM Name' | New-AdvancedSetting -Name isolation.tools.copy.disable -Value true

If the setting exists run:

Get-VM 'VM Name' | Get-AdvancedSetting -Name isolation.tools.copy.disable | Set-AdvancedSetting -Value true

See Also

http://iasecontent.disa.mil/stigs/zip/U_VMware_vSphere_6-0_Virtual_Machine_V1R1_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|III, CCI|CCI-000366, Group-ID|V-63151, Rule-ID|SV-77641r1_rule, STIG-ID|VMCH-06-000001, Vuln-ID|V-63151

Plugin: VMware

Control ID: 77bc56d9d356faa364d4826746a185cb1fd8f494116aeb9fd4ecea9b703008c8