Virtual machines (VMs) must have copy operations disabled.

An XCCDF Rule

Description

Copy and paste operations are disabled by default; however, explicitly disabling this feature will enable audit controls to verify this setting is correct. Copy, paste, drag and drop, or GUI copy/paste operations between the guest operating system and the remote console could provide the means for an attacker to compromise the VM.

ID: SV-258703r933170_rule
Version: VMCH-80-000189
Severity: Low
References: CCI-000366
Updated: about 2 months ago

Remediation Templates

For each virtual machine do the following:

From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> Advanced Parameters.

Find the "isolation.tools.copy.disable" value and set it to "true".
If the setting does not exist no action is needed. 

or

From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:

Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.tools.copy.disable | Set-AdvancedSetting -Value true

Note: The VM must be powered off to configure the advanced settings through the vSphere Client. Therefore, it is recommended to configure these settings with PowerCLI as this can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted.

Virtual machines (VMs) must have copy operations disabled.

Description

Remediation Templates

A Manual Procedure