Educause Security Discussion mailing list archives
Re: OS virtualization at the desktop
From: "Pace, Guy" <gpace () CIS CTC EDU>
Date: Thu, 13 Jul 2006 11:23:04 -0700
I don't have direct experience with Parallels, but have a bit with virtual systems in general. My comments are indented. Since the windows "partition" is a file within OS X, can the windows data be accessed without Windows authentication and authorization? The Windows virtual system files are likely contained in a file structure on the OS X file system. Depending on the security of the OS X system itself, the virtual partitions of the Windows environments can be "mounted" either locally or remotely and accessed using a file browser. So, this is more a question of how secure you can make the Mac OS X host. Are the OS X files subject to worms, trojans, viruses that may infiltrate via the Windows installation? No more than worms, trojans or viruses that can go between Windows and Linux. The main thing to worry about here is that both OS installations have an active, updated and working anti-virus application. Can the Windows partition/file be encrypted via file vault or other encryption mechanism? Only those portions of the partition not required for bootup and authentication can be encrypted. So the Windows directory and the Documents and Settings should not be encrypted. What is the impact on the availability of Windows applications running in the virtual space? This is the same as with any OS running in a VM. There is always the danger of VM escape, where malware or someone uses a bug or feature of the virtual OS or the VM system to escape the virtual OS to the underlying host OS. The hosted OS may have limitations on what hardware it can access, performance and other things. The host OS must share resources with the hosted OS. Does the virtual OS open up any additional risks for the host OS? See the above commend on VM escape. Can the virtual OS take advantage of our patch server (WSUS) and client management suite (Altiris)? It should be able to do so, but only when active. There are probably other issues with keeping the updates and changes, if you set the hosted OS to restart in a pristine condition. I suggest setting up a trial and see what impact this has on management of the host and hosted OSs. You may also want to look at the Microsoft multi-user computer tools to help manage the hosted OS. Are there opportunities to improve security at the desktop using virtualization? The virtual OS can be set to restart from a snapshot, in some VM systems. Don't know about Parallels, terminology may vary. This keeps the OS pristine, pretty much. This doesn't protect the host OS in any way. As mentioned above, Microsoft has a very good tool for setting up multi-user computers and keeping them clean and secure. Guy L. Pace, CISSP Security Administrator Center for Information Services (CIS) 3101 Northup Way, Suite 100 Bellevue, WA 98004 425-803-9724 gpace () cis ctc edu ________________________________ From: Chad McDonald, CISSP [mailto:chad.mcdonald () GCSU EDU] Sent: Thursday, July 13, 2006 10:55 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] OS virtualization at the desktop We are about to deploy a number of the Intel based Macs running OS X and Windows XP. XP will run on top of OS X via Parallels virtualization software. My concern is that using this in a production environment exposes data on the client to twice the amount of risk thanks to the multiple operating systems. Have any of you already crossed this bridge? If so, any advice would be greatly appreciated. I am currently seeking info regarding the following questions: Since the windows "partition" is a file within OS X, can the windows data be accessed without Windows authentication and authorization? Are the OS X files subject to worms, trojans, viruses that may infiltrate via the Windows installation? Can the Windows partition/file be encrypted via file vault or other encryption mechanism? What is the impact on the availability of Windows applications running in the virtual space? Does the virtual OS open up any additional risks for the host OS? Can the virtual OS take advantage of our patch server (WSUS) and client management suite (Altiris)? Are there opportunities to improve security at the desktop using virtualization? Thanks, Chad McDonald, CISSP Chief Information Security Officer Georgia College & State University Office 478.445.4473 Cell 478.454.8250
Current thread:
- OS virtualization at the desktop Chad McDonald, CISSP (Jul 13)
- <Possible follow-ups>
- Re: OS virtualization at the desktop Pace, Guy (Jul 13)
- Re: OS virtualization at the desktop Graham Toal (Jul 13)