Educause Security Discussion mailing list archives

Re: OS virtualization at the desktop

From: "Pace, Guy" <gpace () CIS CTC EDU>
Date: Thu, 13 Jul 2006 11:23:04 -0700
I don't have direct experience with Parallels, but have a bit with
virtual systems in general. My comments are indented. 
 
Since the windows "partition" is a file within OS X, can the windows
data be accessed without Windows authentication and authorization?

        The Windows virtual system files are likely contained in a file
structure on the OS X file system. Depending on the security of the OS X
system itself, the virtual partitions of the Windows environments can be
"mounted" either locally or remotely and accessed using a file browser.
So, this is more a question of how secure you can make the Mac OS X
host.

Are the OS X files subject to worms, trojans, viruses that may
infiltrate via the Windows installation?

        No more than worms, trojans or viruses that can go between
Windows and Linux. The main thing to worry about here is that both OS
installations have an active, updated and working anti-virus
application. 

Can the Windows partition/file be encrypted via file vault or other
encryption mechanism?

        Only those portions of the partition not required for bootup and
authentication can be encrypted. So the Windows directory and the
Documents and Settings should not be encrypted.

What is the impact on the availability of Windows applications running
in the virtual space?

        This is the same as with any OS running in a VM. There is always
the danger of VM escape, where malware or someone uses a bug or feature
of the virtual OS or the VM system to escape the virtual OS to the
underlying host OS. The hosted OS may have limitations on what hardware
it can access, performance and other things. The host OS must share
resources with the hosted OS.

Does the virtual OS open up any additional risks for the host OS?

        See the above commend on VM escape.

Can the virtual OS take advantage of our patch server (WSUS) and client
management suite (Altiris)?

        It should be able to do so, but only when active. There are
probably other issues with keeping the updates and changes, if you set
the hosted OS to restart in a pristine condition. I suggest setting up a
trial and see what impact this has on management of the host and hosted
OSs. You may also want to look at the Microsoft multi-user computer
tools to help manage the hosted OS.

Are there opportunities to improve security at the desktop using
virtualization?

        The virtual OS can be set to restart from a snapshot, in some VM
systems. Don't know about Parallels, terminology may vary. This keeps
the OS pristine, pretty much. This doesn't protect the host OS in any
way. As mentioned above, Microsoft has a very good tool for setting up
multi-user computers and keeping them clean and secure.

 

Guy L. Pace, CISSP 
Security Administrator 
Center for Information Services (CIS) 
3101 Northup Way, Suite 100 
Bellevue, WA 98004 
425-803-9724 

gpace () cis ctc edu 


________________________________

From: Chad McDonald, CISSP [mailto:chad.mcdonald () GCSU EDU] 
Sent: Thursday, July 13, 2006 10:55 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] OS virtualization at the desktop


We are about to deploy  a number of the Intel based Macs running OS X
and Windows XP.  XP will run on top of OS X via Parallels virtualization
software.  My concern is that using this in a production environment
exposes data on the client to twice the amount of risk thanks to the
multiple operating systems.  Have any of you already crossed this
bridge?  If so, any advice would be greatly appreciated. 

I am currently seeking info regarding the following questions:
Since the windows "partition" is a file within OS X, can the windows
data be accessed without Windows authentication and authorization?
Are the OS X files subject to worms, trojans, viruses that may
infiltrate via the Windows installation?
Can the Windows partition/file be encrypted via file vault or other
encryption mechanism?
What is the impact on the availability of Windows applications running
in the virtual space?
Does the virtual OS open up any additional risks for the host OS?
Can the virtual OS take advantage of our patch server (WSUS) and client
management suite (Altiris)?
Are there opportunities to improve security at the desktop using
virtualization?

Thanks,
Chad McDonald, CISSP
Chief Information Security Officer
Georgia College & State University
Office  478.445.4473
Cell  478.454.8250
Current thread:

OS virtualization at the desktop Chad McDonald, CISSP (Jul 13)
- <Possible follow-ups>
- Re: OS virtualization at the desktop Pace, Guy (Jul 13)
- Re: OS virtualization at the desktop Graham Toal (Jul 13)