Configuring virtual machine security
Configuring virtual machine security
In addition to securing the folders in which the various Virtual Server files are located (as described in Securing Virtual Server), you can also configure security on the individual files themselves. Securing the files individually is not necessary unless you want want to define access permissions more precisely than at the folder level.
Permissions for virtual machines
To grant or deny permissions for users to view or modify virtual machine configuration settings, you can modify the discretionary access control list (DACL) on the virtual machine configuration (.vmc) file. In addition, to allow or deny permissions to create virtual machines, you can modify the DACL on the Virtual Server folder, and to allow or deny permissions to save virtual machine state and create undo disks, you can modify the DACL on the virtual machine folder.
Note
There is no option for configuring these settings in the Administration Website; you can configure them in the file system only.
The following table lists the permissions that you can configure on a virtual machine configuration (.vmc) file. By default virtual machine configuration files are located in a folder having the same name as the virtual machine, in C:\Documents and Settings\All Users\Documents\Shared Virtual Machines.
Permission | Use to grant or deny this ability |
---|---|
List Folder/Read Data |
|
Create Files/Write Data |
Modify the configuration of this virtual machine. |
Traverse Folder/Execute File |
|
Delete |
Delete this configuration file. |
Read Permissions |
Read permissions on the virtual machine configuration file. |
Change Permissions |
Change permissions on the virtual machine configuration file. |
In addition to the permissions on the .vmc file, the following permissions may be required:
- Modify permissions granted in the Virtual Server Security Properties page: To create, add, or remove virtual machines. For more information, see Configuring Virtual Server security settings.
- Create Files permissions on the folder containing the .vmc file: To save the state of a virtual machine or create undo disks.
- List Folder permissions on the folder containing the .vmc file: To access the .vmc file from the Administration Website.
Note
By default, a virtual machine runs under the account of the user who started it. You can also create a special account and configure the virtual machine to run under this account instead, as described in Modify general virtual machine properties. The account under which the virtual machine is running (either the user who started it or the special account) must have specific permissions. These permissions are also described in Modify general virtual machine properties. You can allow a user to manage virtual machine state without having permissions to change the configuration by giving the user List Folder/Read Data, and Traverse Folder/Execute File permissions, but not Create Files/Write Data permissions.
Permissions for virtual networks
To grant or deny permissions for users to view or modify virtual network configuration settings, you can modify the DACL on the virtual network configuration (.vnc) file. By default, virtual network configuration files are located in C:\Documents and Settings\All Users\Documents\Shared Virtual Networks.
Note
There is no option for configuring these settings in the Administration Website; you can configure them in the file system only.
The following table lists the permissions that you can configure on a virtual network configuration (.vnc) file.
Permission | Use to grant or deny this ability |
---|---|
List Folder/Read Data |
View configuration information for this virtual network. |
Read Attributes |
View configuration information for this virtual network. |
Create Files/Write Data |
Modify the configuration of this virtual network. |
Traverse Folder/Execute File |
Connect to this virtual network. |
Delete |
Delete the virtual network configuration file. |
Read |
Read the virtual network configuration file. |
Change |
Change the virtual network configuration file. |
In addition to the permissions on the .vnc file, the following permissions may be required:
- Modify permissions granted in the Virtual Server Security Properties page: To create, add, or remove virtual networks. For more information, see Configuring Virtual Server security settings.
- List Folder permissions on the folder containing the .vnc file: To access the .vnc file from the Administration Website.
You can also configure the security of the Virtual Server global options file (Options.xml), the virtual hard disk configuration (.vhd) files, and the virtual floppy disk (.vfd) files. For more information, see Configuring Virtual Server security settings and Configuring virtual disk security.