VMs with multiple vNics could be a security risk

%3Cp%3EOften%20when%20I%20do%20health%20check%20on%20vSphere%20environments%20I%20come%20across%20VMs%20that%20have%20multiple%20vNics.%20That%20can%20be%20a%20serious%20security%20risk%20if%20these%20vNics%20are%20connected%20to%20different%20security%20zones.%20One%20VM%20could%20be%20connected%20both%20to%20a%20DMZ%20and%20to%20a%20Administration%20network.%20Sometimes%20this%20configuration%20is%20acceptable%20if%20the%20operating%20system%20is%20designed%20to%20handle%20this.%20If%20for%20instance%20it%20is%20a%20firewall.%3C/p%3E%3Cp%3EI%20often%20find%20that%20there%20are%20VMs%20that%20have%20this%20configuration%20but%20where%20one%20of%20the%20network%20adapters%20is%20disconnected,%20and%20only%20connected%20from%20vCenter%20when%20access%20to%20the%20secondary%20network%20is%20wanted%20for%20some%20kind%20of%20maintenance.%3C/p%3E%3Cp%3EI%20found%20a%20setting%20on%20the%20virtual%20network%20adapter%20called%20%3Cem%3E%22allowGuestControl%22,%20%3C/em%3Eand%20I%20was%20wondering%20if%20this%20setting%20could%20be%20a%20security%20issue.%20%3Cstrong%3ECould%20a%20hacker%20enable%20the%20disconnected%20network%20adapter%20from%20within%20the%20guest%20operating%20system,%20and%20thereby%20gain%20access%20to%20a%20privileged%20network?%3C/strong%3E%3C!--more--%3E%3C/p%3E%3Cp%3EIt%20turns%20out%20that%20you%20can%20enable%20disconnected%20hardware%20using%20VMware%20tools,%20as%20explained%20documented%20here:%C2%A0%3Ca%20href=%22https://pubs.vmware.com/vsphere-50/index.jsp?topic=%252Fcom.vmware.vmtools.install.doc%252FGUID-B8AEEAAC-5E0D-4A5E-974E-64FE81949AE0.html?src=vmw_so_vex_bknuts_793%22%3Ehttps://pubs.vmware.com/vsphere-50/index.jsp?topic=%252Fcom.vmware.vmtools.install.doc%252FGUID-B8AEEAAC-5E0D-4A5E-974E-64FE81949AE0.html%3C/a%3E%3C/p%3E%3Cp%3EFortunately%20it%20is%20not%20enabled%20by%20default%20even%20though%20the%C2%A0%3Cem%3E%22allowGuestControl%22%20%3C/em%3Esetting%20is%20enabled,%20as%20the%20documentation%20explains%20you%20have%20to%20add%202%20settings%20to%20your%20vmx%20file.%3C/p%3E%3Cpre%20class=%22prettyprint%20lang-javascript%22%20data-start-line=%221%22%20data-visibility=%22visible%22%20data-highlight=%22%22%20data-caption=%22%22%3Eisolation.device.connectable.disable%20=%20%22FALSE%22%0Aisolation.device.edit.disable%20=%20%22FALSE%22%3C/pre%3E%3Cp%3EThe%20downside%20is%20that%20if%20these%20settings%20are%20set,%20maybe%20by%20an%20unknown%20intruder,%20it%20is%20very%20hard%20to%20spot,%20so%20I%20recommend%20that%20you%20avoid%20having%20multiple%20vNics%20in%20your%20VMs,%20that%20cross%20different%20security%20zones,%20even%20when%20one%20of%20them%20is%20disconnected.%3C/p%3E%3Cp%3ECredit%20to%C2%A0%3Ca%20href=%22https://communities.vmware.com/people/mhampto?src=vmw_so_vex_bknuts_793%22%3Emhampto%3C/a%3E%C2%A0for%20pointing%20me%20to%20the%20right%20documentation%20when%20trying%20to%20get%20to%20the%20bottom%20of%20this.%3C/p%3E