Hyper-V: Avoid configuring virtual machines to allow unfiltered SCSI commands
Applies To: Windows Server 2008 R2, Windows Server 2012
This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Hyper-V Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.
Operating System |
Windows Server 2012 or Windows Server 2008 R2 |
Product/Feature |
Hyper-V |
Severity |
Warning |
Category |
Operations |
Issue
A virtual machine is configured to allow unfiltered SCSI commands.
Impact
Bypassing SCSI command filtering poses a security risk. This configuration should be enabled only if it is required for compatibility with storage applications running in the guest operating system. The following virtual machines are configured to allow unfiltered SCSI commands:<list of virtual machine names>
Resolution
Contact your storage vendor to determine if this configuration is required. Also, if the management operating system or other guest operating systems are compromised or exhibit unusual behavior, reconfigure the virtual machine to block the commands.
You can reconfigure the virtual machine by using the WMI interfaces to modify a property directly in the Virtualization WMI provider. Use the ModifyVirtualSystem method of the Msvm_VirtualSystemManagementService class to modify the AllowFullSCSICommandSet property of the Msvm_VirtualSystemGlobalSettingData class. For more information about this property, see Msvm_VirtualSystemGlobalSettingData Class (https://go.microsoft.com/fwlink/?LinkId=181521).
Additional references
For information about the Virtualization WMI provider for Hyper-V, see Virtualization WMI Provider (https://go.microsoft.com/fwlink/?LinkID=108564).