VirtualBox

source: vbox/trunk/doc/manual/en_US/user_Security.xml@ 38556

Last change on this file since 38556 was 38556, checked in by vboxsync, 14 years ago

doc/manual: more security stuf
  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
File size: 14.2 KB
Line 
1<?xml version="1.0" encoding="UTF-8"?>
2<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
3"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
4<chapter id="Security">
5 <title>Security guide</title>
6
7 <sect1>
8 <title>Overview</title>
9 <para>
10 </para>
11
12 <sect2>
13 <title>General Security Principles</title>
14
15 <para>The following principles are fundamental to using any application
16 securely.
17 <glosslist>
18 <glossentry>
19 <glossterm>Keep Software Up To Date</glossterm>
20 <glossdef>
21 <para>
22 One of the principles of good security practise is to keep all
23 software versions and patches up to date. Activate the VirtualBox
24 update notification to get notified when a new VirtualBox release
25 is available. When updating VirtualBox, don't forget to update
26 the Guest Additions. Keep the host operating system as well as the
27 guest operating system up to date.
28 </para>
29 </glossdef>
30 </glossentry>
31
32 <glossentry>
33 <glossterm>Restrict Network Access to Critical Services</glossterm>
34 <glossdef>
35 <para>
36 Use proper means, for instance a firewall, to protect your computer
37 and your guest(s) from accesses from the outside. Choosing the proper
38 networking mode for VMs helps to separate host networking from the
39 guest and vice versa.
40 </para>
41 </glossdef>
42 </glossentry>
43
44 <glossentry>
45 <glossterm>Follow the Principle of Least Privilege</glossterm>
46 <glossdef>
47 <para>
48 The principle of least privilege states that users should be given the
49 least amount of privilege to perform their jobs. Execute VirtualBox
50 always as regular user. We strongly discourage from executing
51 VirtualBox with system privileges.
52 </para>
53 </glossdef>
54 </glossentry>
55
56 <glossentry>
57 <glossterm>Monitor System Activity</glossterm>
58 <glossdef>
59 <para>
60 System security stands on three legs: good security protocols, proper
61 system configuration and system monitoring. Auditing and reviewing audit
62 records address this third requirement. Each component within a system
63 has some degree of monitoring capability. Follow audit advice in this
64 document and regularly monitor audit records.
65 </para>
66 </glossdef>
67 </glossentry>
68
69 <glossentry>
70 <glossterm>Keep Up To Date on Latest Security Information</glossterm>
71 <glossdef>
72 <para>
73 Oracle continually improves its software and documentation. Check this
74 note note yearly for revisions.
75 </para>
76 </glossdef>
77 </glossentry>
78
79 </glosslist>
80 </para>
81 </sect2>
82 </sect1>
83
84 <sect1>
85 <title>Secure Installation and Configuration</title>
86 </sect1>
87
88 <sect2>
89 <title>Installation Overview</title>
90 <para>
91 The VirtualBox base package should be downloaded only from a trusted source,
92 for instance the official website
93 <ulink url="http://www.virtualbox.org">http://www.virtualbox.org</ulink>.
94 The integrity of the package should be verified with the provided SHA256
95 checksum which can be found on the official website.
96 </para>
97 <para>
98 General VirtualBox installation instructions for the supported hosts can
99 be found in <xref linkend="installation"/>. On some hosts it is possible
100 to disable certain VirtuallBox components during the installation but the
101 regular case is to install the complete VirtualBox package. The installation
102 must be done with system privileges. All VirtualBox binaries should be
103 executed as regular user and never as privileged user.
104 </para>
105 <para>
106 The Oracle VM VirtualBox extension pack provides additional features
107 and must be downloaded and installed separately, see
108 <xref linkend="intro-installing"/>. Like the for base package, the SHA256
109 checksum of the extension pack should be verified. As the installation
110 requires system privileges, the VirtualBox GUI will ask for the system
111 password during the installation of the extension pack.
112 </para>
113 </sect2>
114
115 <sect2>
116 <title>Post Installation Configuration</title>
117 <para>
118 Normally there is no post installation configuration of VirtualBox components
119 required. However, on Solaris and Linux hosts it is necessary to configure
120 the proper permissions for users executing VMs which should be able to
121 access certain host resources. For instance, Linux users must be member of
122 the <emphasis>vboxusers</emphasis> group to be able to pass USB devices to a
123 guest. If a serial host interface should be accessed from a VM, the proper
124 permissions must be granted to the user to be able to access that device.
125 The same applies to other resources like raw partitions, DVD/CD drives
126 and sound devices.
127 </para>
128 </sect2>
129
130 <sect1>
131 <title>Security Features</title>
132 <para>This section outlines the specific security mechanisms offered
133 by VirtualBox.</para>
134
135 <sect2>
136 <title>The Security Model</title>
137 <para>
138 One property of virtual machine monitors (VMMs) like VirtualBox is to encapsulate
139 a guest by executing it in a protected environment, a virtual machine,
140 running as a user process on the host operating system. The guest cannot
141 communicate directly with the hardware or other computers but only through
142 the VMM. The VMM provides emulated physical resources and devices to the
143 guest which are accessed by the guest operating system to perform the required
144 tasks. The VM settings control the resources provided to the guest, for example
145 the amount of guest memory or the number of guest processors, (see
146 <xref linkend="generalsettings"/>) and the enabled features for that guest
147 (for example remote control, certain screen settings and others).
148 </para>
149 </sect2>
150
151 <sect2>
152 <title>Secure Configuration of Virtual Machines</title>
153 <para>
154 Several aspects of a virtual machine configuration are subject to security
155 considerations.</para>
156
157 <sect3>
158 <title>Networking</title>
159 <para>
160 The default networking mode for VMs is NAT which means that
161 the VM acts like a computer behind a router, see
162 <xref linkend="network_nat"/>. The guest is part of a private
163 subnet belonging to this VM and the guest IP is not visible
164 from the outside. This networking mode works without
165 any additional setup and is sufficient for many purposes.
166 </para>
167 <para>
168 If bridged networking is used, the VM acts like a computer inside
169 the same networking as the host, see <xref linkend="network_bridged"/>.
170 In this case, the guest has the same network access as the host and
171 a firewall might be necessary to protect other computers on the
172 subnet from a potential malicious guest as well as to protect the
173 guest from a direct access from other computers. In some cases it is
174 worth considering using a forwarding rule for a specific port in NAT
175 mode instead of using bridged networking.
176 </para>
177 <para>
178 Some setups don't require a VM to be connected to the public network
179 at all. Internal networking (see <xref linkend="network_internal"/>)
180 or host-only networking (see <xref linkend="network_hostonly"/>)
181 are often sufficient to connect VMs among each other or to connect
182 VMs only with the host but not with the public network.
183 </para>
184 </sect3>
185
186 <sect3>
187 <title>VRDP remote desktop authentication</title>
188 <para>When using the VirtualBox extension pack provided by Oracle
189 for VRDP remote desktop support, you can optionally use various
190 methods to configure RDP authentication. The "null" method is
191 very insecure and should be avoided in a public network.
192 See <xref linkend="vbox-auth" /> for details.</para>
193 </sect3>
194
195 <sect3>
196 <title>Clipboard</title>
197 <para>
198 The shared clipboard allows to share data between the host and
199 the guest. Enabling the clipboard in "Bidirectional" mode allows
200 the guest to read and write the host clipboard. The "Host to guest"
201 mode and the "Guest to host" mode limit the access to one
202 direction. If the guest is able to access the host clipboard it
203 could also access sensitive data from the host which are shared over
204 the clipboard.
205 </para>
206 </sect3>
207
208 <sect3>
209 <title>3D graphics acceleration</title>
210 <para>Enabling 3D graphics via the Guest Additions exposes the host
211 to additional security risks; see <xref
212 linkend="guestadd-3d" />.</para>
213 </sect3>
214
215 <sect3>
216 <title>CD/DVD passthrough</title>
217 <para>Enabling CD/DVD passthrough allows the guest to perform advanced
218 operations on the CD/DVD drive, see <xref linkend="storage-cds"/>.
219 This could induce a security risk as a guest could overwrite data
220 on a CD/DVD medium.
221 </para>
222 </sect3>
223
224 <sect3>
225 <title>USB passthrough</title>
226 <para>
227 Passing USB devices to the guest provides the guest full access
228 to these devices, see <xref linkend="settings-usb"/>. For instance,
229 in addition to reading and writing the content of the partitions
230 of an external USB disk the guest will be also able to read and
231 write the partition table and hardware data of that disk.
232 </para>
233 </sect3>
234
235 </sect2>
236
237 <sect2>
238 <title>Configuring and Using Authentication</title>
239
240 <para>The following components of VirtualBox can use passwords for
241 authentication:<itemizedlist>
242
243 <listitem>
244 <para>When using teleporting, passwords can optionally be used to
245 protect a machine waiting to be teleported from unauthorized access.
246 Note however that these passwords are stored <emphasis
247 role="bold">unencrypted</emphasis> in the machine configuration XML
248 and therefore potentially readable on the host. See <xref
249 linkend="teleporting" /> and <xref
250 linkend="vboxmanage-modifyvm-teleport" />.</para>
251 </listitem>
252
253 <listitem>
254 <para>When using remote iSCSI storage and the storage server
255 requires authentication, a password can optionally be supplied with
256 the <computeroutput>VBoxManage storageattach</computeroutput>
257 command. Note however that this is stored <emphasis
258 role="bold">unencrypted</emphasis> in the machine configuration and
259 is therefore potentially readable on the host. See <xref
260 linkend="storage-iscsi" /> and <xref
261 linkend="vboxmanage-storageattach" />.</para>
262 </listitem>
263
264 <listitem>
265 <para>When using the VirtualBox web service to control a VirtualBox
266 host remotely, connections to the web service are authenticated in
267 various ways. This is described in detail in the VirtualBox Software
268 Development Kit (SDK) reference; please see <xref
269 linkend="VirtualBoxAPI" />.</para>
270 </listitem>
271 </itemizedlist></para>
272 </sect2>
273
274 <!--
275 <sect2>
276 <title>Configuring and Using Access Control</title>
277 </sect2>
278
279 <sect2>
280 <title>Configuring and Using Security Audit</title>
281 </sect2>
282
283 <sect2>
284 <title>Congiguring and Using Other Security Features</title>
285 </sect2>
286 -->
287
288 <sect2>
289 <title>Potentially insecure operations</title>
290
291 <para>The following features of VirtualBox can present security
292 problems:<itemizedlist>
293 <listitem>
294 <para>Enabling 3D graphics via the Guest Additions exposes the host
295 to additional security risks; see <xref
296 linkend="guestadd-3d" />.</para>
297 </listitem>
298
299 <listitem>
300 <para>When teleporting a machine, the data stream through which the
301 machine's memory contents are transferred from one host to another
302 is not encrypted. A third party with access to the network through
303 which the data is transferred could therefore intercept that
304 data.</para>
305 </listitem>
306
307 <listitem>
308 <para>When using the VirtualBox web service to control a VirtualBox
309 host remotely, connections to the web service (through which the API
310 calls are transferred via SOAP XML) are not encrypted, but use plain
311 HTTP. This is a potential security risk! For details about the web
312 service, please see <xref linkend="VirtualBoxAPI" />.</para>
313 </listitem>
314
315 <listitem>
316 <para>All traffic sent over an UDP Tunnel network attachment is not
317 encrypted. You can either encrypt it on the host network level (with
318 IPsec), or use encrypted protocols in the guest network (such as
319 SSH). The security properties are similar to bridged Ethernet.</para>
320 </listitem>
321 </itemizedlist></para>
322 </sect2>
323
324 <sect2>
325 <title>Encryption</title>
326
327 <para>The following components of VirtualBox use encryption to protect
328 sensitive data:<itemizedlist>
329 <listitem>
330 <para>When using the VirtualBox extension pack provided by Oracle
331 for VRDP remote desktop support, RDP data can optionally be
332 encrypted. See <xref linkend="vrde-crypt" /> for details. Only
333 the Enhanced RDP Security method (RDP5.2) with TLS protocol
334 provides a secure connection. Standard RDP Security (RDP4 and
335 RDP5.1) is vulnerable to a man-in-the-middle attack.</para>
336 </listitem>
337 </itemizedlist></para>
338 </sect2>
339 </sect1>
340
341 <!--
342 <sect1>
343 <title>Security Considerations for Developers</title>
344 </sect1>
345 -->
346
347</chapter>
Note: See TracBrowser for help on using the repository browser.

© 2025 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette