File system security settings for Virtual Server
File system security settings
The ability to view and specify configuration settings for Virtual Server 2005, virtual machines, virtual networks, and virtual hard disks is controlled by discretionary access control lists (DACLs) on the Virtual Server folders and files.
This topic describes the DACLs that are configured by default for these folders and files. These DACLs give members of the Administrators group on the computer running the Virtual Server service full control over Virtual Server, virtual machines, virtual networks, and locally stored virtual disks.
For more information about configuring these settings to allow users to access and control Virtual Server and its components, see Configuring Virtual Server security settings, Configuring virtual machine security, and Configuring virtual disk security.
Click a heading to show or hide the contents.
DACL for the Virtual Server folder
Virtual Server Setup creates the Virtual Server folder, which is located by default in C:\Documents and Settings\All Users\Application Data\Microsoft\. The Virtual Server folder contains the following items:
- Virtual Server configuration file (Options.xml)
- Virtual Server license file (VSLicense.xml)
- Virtual Machines folder, which contains shortcuts to the configuration files of virtual machines that are currently configured on Virtual Server
- Virtual Networks folder, which contains shortcuts to the configuration files of virtual networks that are currently configured on Virtual Server
The DACL on this folder applies to the folders and files that it contains. The following table lists the default access control entries (ACEs) of this DACL. Although you can configure this DACL from within the file system, we recommend that you instead use the Virtual Server Security Settings page of the Administration Website. For instructions, see Configure Virtual Server Security Settings.
The default DACL for the Virtual Server folder is shown in the following table.
| User account | Permissions (allow) | Apply to |
|---|---|---|
Administrators |
Full Control |
This folder, subfolders, and files |
CREATOR OWNER |
Full Control |
Subfolders and files only |
SYSTEM |
Read & Execute |
This folder, subfolders, and files |
SYSTEM |
Create Files/Write Data Create Folders/Append Data |
This folder only |
NETWORK SERVICE |
Read & Execute |
This folder, subfolders, and files |
NETWORK SERVICE |
Create Files/Write Data Create Folders/Append Data |
This folder only |
DACL for the Virtual Server configuration file
The following table describes the default DACL for the Virtual Server configuration file (Options.xml), located by default in C:\Documents and Settings\All Users\Application Data\Microsoft\Virtual Server. You can change the DACL on this file; however, we recommend that instead you configure global security settings for Virtual Server by using the Administration Website. For instructions, see Configure Virtual Server Security Settings.
| User account | Permissions (allow) | Apply to |
|---|---|---|
Administrators |
Full Control |
This object only |
NETWORK SERVICE |
Full Control |
This object only |
SYSTEM |
Read & Execute |
This object only |
DACL for the Virtual Server license file
The following table describes the default DACL for the Virtual Server license file (VSLicense.xml), located by default in C:\Documents and Settings\All Users\Application Data\Microsoft\Virtual Server.
| User account | Permissions (allow) | Apply to |
|---|---|---|
Administrators |
Full Control |
This object only |
NETWORK SERVICE |
Read & Execute |
This object only |
SYSTEM |
Read & Execute |
This object only |
DACL for the Virtual Machine Helper folder
The following table describes the default DACL for the Virtual Machine Helper folder, located by default in C:\Documents and Settings\All Users\Application Data\Microsoft. This folder contains the NETWORK SERVICE file, described next.
Warning
You should not change the DACL on this folder. If you do, virtual machines that you have configured to run under a specific user account may not be able to turn on, and encrypted password information contained in this file could become accessible to unauthorized users.
| User account | Permissions (allow) | Apply to |
|---|---|---|
Administrators |
Full Control |
This folder, subfolders, and files |
CREATOR OWNER |
Full Control |
Subfolders and files only |
SYSTEM |
Read & Execute |
This folder, subfolders, and files |
SYSTEM |
Create Files/Write Data Create Folders/Append Data |
This folder only |
NETWORK SERVICE |
Read & Execute |
This folder, subfolders, and files |
NETWORK SERVICE |
Create Files/Write Data Create Folders/Append Data |
This folder only |
DACL for the NETWORK SERVICE file
The following table describes the default DACL for the NETWORK SERVICE file, located by default in C:\Documents and Settings\All Users\Application Data\Microsoft\Virtual Machine Helper. This file stores encrypted information about the user accounts under which virtual machines have been configured to run. For more information about configuring this account, see Modifying general virtual machine properties.
Warning
You should not change the DACL on this file. If you do, virtual machines that you have configured to run under a specific user account may not be able to turn on, and encrypted password information contained in this file could become accessible to unauthorized users.
| User account | Permissions (allow) | Apply to |
|---|---|---|
NETWORK SERVICE |
Full Control |
This object only |
DACL for the Virtual Server Webapp folder
The following table describes the default DACL for the Virtual Server Webapp folder, located by default in C:\Documents and Settings\All Users\Application Data\Microsoft\. This folder contains the ServerPaths.xml file, described next.
| User account | Permissions (allow) | Apply to |
|---|---|---|
SYSTEM |
Full Control |
This folder, subfolders, and files |
Administrators |
Full Control |
This folder, subfolders, and files |
Users |
Read & Execute |
This folder, subfolders, and files |
Power Users |
Traverse Folder/Execute File List Folder/Read Data Read Attributes Read Extended Attributes Create Files/Write Data Create Folders/Append Data Write Attributes Write Extended Attributes Delete Subfolders and Files Delete Read Permissions |
This folder, subfolders, and files |
Everyone |
Read & Execute |
This folder, subfolders, and files |
DACL for the Virtual Server Manager search paths file
The following table describes the default DACL for the Virtual Server Manager search paths file (ServerPaths.xml), located by default in C:\Documents and Settings\All Users\Application Data\Microsoft\Virtual Server WebApp. This file stores information about the search paths that have been configured for Virtual Server Manager. For more information, see Configuring Virtual Server Manager search paths.
| User account | Permissions (allow) | Apply to |
|---|---|---|
SYSTEM |
Full Control |
This folder, subfolders, and files |
Administrators |
Full Control |
This folder, subfolders, and files |
Users |
Read & Execute |
This folder, subfolders, and files |
Power Users |
Traverse Folder/Execute File List Folder/Read Data Read Attributes Read Extended Attributes Create Files/Write Data Create Folders/Append Data Write Attributes Write Extended Attributes Delete Subfolders and Files Delete Read Permissions |
This folder, subfolders, and files |
Everyone |
Read & Execute |
This folder, subfolders, and files |
DACL for the Shared Virtual Machines folder
The following table describes the default DACL on the Shared Virtual Machines folder, located by default in C:\Documents and Settings\All Users\Shared Documents.
| User account | Permissions (allow) | Apply to |
|---|---|---|
Administrators |
Full Control |
This folder, subfolders, and files |
CREATOR OWNER |
Full Control |
Subfolders and files only |
SYSTEM |
Read & Execute |
This folder, subfolders, and files |
SYSTEM |
Create Files/Write Data Create Folders/Append Data |
This folder only |
NETWORK SERVICE |
Read & Execute |
This folder, subfolders, and files |
NETWORK SERVICE |
Create Files/Write Data Create Folders/Append Data |
This folder only |
DACLs for virtual machine folders and files
The following tables describe the default DACLs on the folders and files that are created by Virtual Server when you create and manage a virtual machine. Virtual machine configuration folders and files are located by default in C:\Documents and Settings\All Users\Shared Documents\Shared Virtual Machines.
DACL for a virtual machine configuration folder
| User account | Permissions (allow) | Apply to |
|---|---|---|
Administrators |
Full Control |
This folder, subfolders, and files |
CREATOR OWNER |
Full Control |
Subfolders and files only |
SYSTEM |
Read & Execute |
This folder, subfolders, and files |
NETWORK SERVICE |
Read & Execute |
This folder, subfolders, and files |
DACL for virtual machine configuration (.vmc) files
| User account | Permissions (allow) | Apply to |
|---|---|---|
Administrators |
Full Control |
This object only |
SYSTEM |
Read & Execute |
This object only |
NETWORK SERVICE |
Read & Execute |
This object only |
DACL for virtual machine saved-state (.vsv) files
| User account | Permissions (allow) | Apply to |
|---|---|---|
Administrators |
Full Control |
This object only |
SYSTEM |
Read & Execute |
This object only |
NETWORK SERVICE |
Read & Execute |
This object only |
User account under which the virtual machine is running when its state is saved |
Full Control |
This object only |
DACL for the Shared Virtual Networks folder
The following table describes the default DACL on the Shared Virtual Networks folder, located by default in C:\Documents and Settings\All Users\Shared Documents.
| User account | Permissions (allow) | Apply to |
|---|---|---|
Administrators |
Full Control |
This folder, subfolders, and files |
CREATOR OWNER |
Full Control |
Subfolders and files only |
SYSTEM |
Read & Execute |
This folder, subfolders, and files |
SYSTEM |
Create Files/Write Data Create Folders/Append Data |
This folder only |
NETWORK SERVICE |
Read & Execute |
This folder, subfolders, and files |
NETWORK SERVICE |
Create Files/Write Data Create Folders/Append Data |
This folder only |
DACL for a virtual network configuration (.vnc) file
The following table describes the default DACL on the configuration file that is created by Virtual Server when you create a virtual network. Virtual network configuration (.vnc) files are located by default in C:\Documents and Settings\All Users\Shared Documents\Shared Virtual Networks.
| User account | Permissions (allow) | Apply to |
|---|---|---|
Administrators |
Full Control |
This object only |
SYSTEM |
Read & Execute |
This object only |
NETWORK SERVICE |
Full Control |
This object only |
DACLs for virtual hard disk (.vhd) files and virtual floppy disk (.vfd) files
The following table describes the default DACL on the file that is created by Virtual Server when you create a virtual hard disk or virtual floppy disk. Virtual hard disk (.vhd) files that are created at the same time a virtual machine is created are located by default in the virtual machine configuration folder, in C:\Documents and Settings\All Users\Shared Documents\Shared Virtual Machines. Other virtual hard disk files and all virtual floppy disk (.vfd) files are stored in the location that was specified when the file was created.
| User account | Permissions (allow) | Apply to |
|---|---|---|
Administrators |
Full Control |
This object only |
SYSTEM |
Read & Execute |
This object only |
NETWORK SERVICE |
Read & Execute |
This object only |