VMware Remote Console (VMRC) Security

I ran into an issue the other day where I was directly logged into a VMRC of a VM with an enterprise administrator account (administrator over the entire AD forest) and someone else at the remote site opened up a VMRC on the same VM and took over my session.  For obvious reasons this poses a security threat.

I knew there was a way to limit this, but I wasn’t sure where to set it.  It is an advanced configuration setting and it set per-VM.  You can add a new line either in the VM settings or directly in the .vmx file as follows:

RemoteDisplay.maxConnections = 1

You can add this setting while the VM is powered on through PowerCLI, but the VM needs to be powered off/on.  The caveat of powering every VM off/on to secure the VMRC was going to require a lot of coordination with 19 different sites and a 1000+ virtual machines.  I engaged our Technical Account Manager (TAM) at VMware to see if there was a work around, and luckily, there is!  Performing a vMotion on the VM will allow that setting to take effect without having to power it off.

At first, I didn’t understand why that worked, which made me realize that I didn’t have a full understanding of everything happening during a vMotion.  I won’t go into the entire process here (maybe a future post?), but essentially during the process, the VM is powered on, on the destination host, which allows that setting in the .vmx file to initialize and take effect.

Of course setting that and vMotioning 1000+ VMs one at a time would take more time than I’m willing to spend, so I wrote a script to get all the VMs, set the proper setting limiting the VMRC connections, and vMotioning the VM to a host other than the one it is currently on.  I gathered some of this code from other scripts, and wrote some of it myself.  This does not currently contain any error checking.  Download the script below, change to .ps1 and remember to connect to a VI server prior to running..

Once this new setting is set and has taken effect, a user connecting to a VMRC while another user is connected will get an error and won’t be able to connect.

 

After you are complete you should go back and change your templates to reflect this change so all new VMs you deploy will be secure.  You will have to convert your templates to a VM and then back to a template.

limit-vmrcConnections (right-click, save as .ps1)

Leave a Reply

Your email address will not be published. Required fields are marked *

*