The following vmware template tips is no rocket science, but i have seen a lot of vmware environments and the following settings are not always set. For all those settings the virtual machine must be shutdown. So setting these values already in the vmware template can save you a lot of work afterwards :) .

  • vmware tools auto upgrade

its handy to turn on the “check and upgrade tools before each power on”  in a vmware template.

this way you have always the latest vmware tools in a vmware template, and you do not have to convert a vmware template to virtual machine and upgrade the vmware tools. This setting is very handy in big environments because you make sure that the vmware tools are up to date for new deployed virtual machines.

you can set those values in (right click) virtual machine properties-options-vmwaretools-“check and upgrade tools before each power on”

  • boot options

there is an option in vm settings-options-advanced-boot options. to set a delay so you will see the bios screen, so you have time to hit a key :) to enter the virtual bios or choose a boot option.

this value can be handy to set to a higher value in seconds instead of milliseconds. This is not necessary but can be handy to set it already in the template.

The following tips are more tips to make the esx environment more secure based on thetripwire configcheck and security hardening guide from vmware vi35_security_hardening_wp.pdf.  The following settings are all checked by tripwire configcheck and are recommended by vmware hardening guide. of course you have to check these values yourself if its suitable for your own environment.

  • remove the floppy drive

a floppy drive is not necessary anymore and gives some little overhead and this will be checked if you do a esx security or esx health check.

  • turn off copy between guest os and remote console

with vmware tools installed it is possible for the user to copy and paste data between guest os and the remote console. During an esx health/security check this will be noticed as a security issue.

To turn this of you have to put “isolation.tools.copy.disable” in options-advanced-general with the value true.

  • Verify That Paste Is Disabled between Guest OS and Remote Console

as above tip: With VMware Tools installed on a virtual machine it is possible for the user to copy and paste data between the
guest OS and the remote console. Disabling copy and paste operations helps prevent inadvertent leakage of
potentially sensitive information between the remote console and virtual machines

To turn this of you have to put “isolation.tools.paste.disable” in options-advanced-general with the value true.

see picture above for more details

  • Verify Option to Override VMware Tools Settings Is Disabled

This test verifies that any configuration changes made using the virtual machine’s VMware Tools control panel
on the guest OS cannot override settings defined by the system administrator on the ESX Server.

To turn this of you have to put “isolation.tools.setGUIOptions.enable” in options-advanced-general with the value false

see picture above for more details

  • Verify That Log Rotate Size for Virtual Machines Is Less than or Equal to 100KB

Virtual machines log activity in their respective vmware.log files. If growth of these log
files is not limited, it is possible for virtual machines to cause a denial of service on the ESX Server by filling
up the VMFS volume. There are two options for preventing virtual machines from flooding the hard disk of the
host: size-based log file rotation or disabling logging for the virtual machine. Its better to put it to rotation because disabling logging altogether limits troubleshooting options.

To turn this of you have to put “log.rotateSize” in options-advanced-general with the value 100000

see picture above for more details

  • Verify That the Number of Log Files to Keep Is Equal to 10

This test determines if virtual machines are configured to keep 10 log files when the recommended log rotate
size of 100KB is exceeded (see above tip).

To turn this of you have to put “log.keepOld” in options-advanced-general with the value 10

see picture above for more details

  • Verify Size of GuestInfo File Is Less than or Equal to 1MB

The GuestInfo file is used to store the setinfo messages sent by VMware Tools on a guest to
ESX/ESXi Server. The size of setinfo messages is not limited by default. This introduces the possibility of a
denial of service attack where an attacker mimics VMware Tools and floods the host with data.

To turn this of you have to put “tools.setInfo.sizeLimit” in options-advanced-general with the value 1048576

see picture above for more details

  • Verify That DiskWiper Is Disabled

Virtual disk shrinking is used on disks configured to grow as needed. It is a two step process that includes a DiskWiper to reclaim unused portions of the disk and then a DiskShrink to reduce the size of the .vmdk files. By default, a virtual disk shrink
operation can be performed by unprivileged users and processes on a virtual machine.

To turn this of you have to put “isolation.tools.diskWiper.disable” in options-advanced-general with the value true

see picture above for more details

  • Verify That DiskShrink Is Disabled

Virtual disk shrinking is used on disks configured to grow as needed. It is a two step process that includes a DiskWiper to reclaim unused portions of the disk and then a DiskShrink to reduce the size of the .vmdk files

By default, a virtual disk shrink operation can be performed by unprivileged users and processes on a virtual machine.

To turn this of you have to put “isolation.tools.diskShrink.disable” in options-advanced-general with the value true

see picture above for more details.