VirtualBox

source: vbox/trunk/doc/manual/en_US/user_Security.xml@ 38643

Last change on this file since 38643 was 38643, checked in by vboxsync, 13 years ago

doc/manual: more explanation which features can be deactivated in the Windows installer

  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
File size: 15.0 KB
Line 
1<?xml version="1.0" encoding="UTF-8"?>
2<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
3"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
4<chapter id="Security">
5 <title>Security guide</title>
6
7 <sect1>
8 <title>Overview</title>
9 <para>
10 </para>
11
12 <sect2>
13 <title>General Security Principles</title>
14
15 <para>The following principles are fundamental to using any application
16 securely.
17 <glosslist>
18 <glossentry>
19 <glossterm>Keep Software Up To Date</glossterm>
20 <glossdef>
21 <para>
22 One of the principles of good security practise is to keep all
23 software versions and patches up to date. Activate the VirtualBox
24 update notification to get notified when a new VirtualBox release
25 is available. When updating VirtualBox, do not forget to update
26 the Guest Additions. Keep the host operating system as well as the
27 guest operating system up to date.
28 </para>
29 </glossdef>
30 </glossentry>
31
32 <glossentry>
33 <glossterm>Restrict Network Access to Critical Services</glossterm>
34 <glossdef>
35 <para>
36 Use proper means, for instance a firewall, to protect your computer
37 and your guest(s) from accesses from the outside. Choosing the proper
38 networking mode for VMs helps to separate host networking from the
39 guest and vice versa.
40 </para>
41 </glossdef>
42 </glossentry>
43
44 <glossentry>
45 <glossterm>Follow the Principle of Least Privilege</glossterm>
46 <glossdef>
47 <para>
48 The principle of least privilege states that users should be given the
49 least amount of privilege necessary to perform their jobs. Always execute VirtualBox
50 as a regular user. We strongly discourage anyone from executing
51 VirtualBox with system privileges.
52 </para>
53 </glossdef>
54 </glossentry>
55
56 <glossentry>
57 <glossterm>Monitor System Activity</glossterm>
58 <glossdef>
59 <para>
60 System security builds on three pillars: good security protocols, proper
61 system configuration and system monitoring. Auditing and reviewing audit
62 records address the third requirement. Each component within a system
63 has some degree of monitoring capability. Follow audit advice in this
64 document and regularly monitor audit records.
65 </para>
66 </glossdef>
67 </glossentry>
68
69 <glossentry>
70 <glossterm>Keep Up To Date on Latest Security Information</glossterm>
71 <glossdef>
72 <para>
73 Oracle continually improves its software and documentation. Check this
74 note note yearly for revisions.
75 </para>
76 </glossdef>
77 </glossentry>
78
79 </glosslist>
80 </para>
81 </sect2>
82 </sect1>
83
84 <sect1>
85 <title>Secure Installation and Configuration</title>
86 </sect1>
87
88 <sect2>
89 <title>Installation Overview</title>
90 <para>
91 The VirtualBox base package should be downloaded only from a trusted source,
92 for instance the official website
93 <ulink url="http://www.virtualbox.org">http://www.virtualbox.org</ulink>.
94 The integrity of the package should be verified with the provided SHA256
95 checksum which can be found on the official website.
96 </para>
97 <para>
98 General VirtualBox installation instructions for the supported hosts
99 can be found in <xref linkend="installation"/>.
100 </para>
101 <para>
102 On Windows hosts, the installer allows to disable USB support, support
103 for bridged networking, support for host-only networking and the Python
104 language bindings, see <xref linkend="installation_windows"/>.
105 All these features are enabled by default but disabling some
106 of them could be appropriate if the corresponding functionality is not
107 required by any virtual machine. The Python language bindings are only
108 required if the VirtualBox API should be used by external Python
109 applications. In particular USB support and support
110 for the two networking modes induce the installation of Windows kernel
111 drivers at the host. Therefore disabling those selected features can
112 not only be used to restrict the user to a certain functionality but
113 also to minimize the surfaces provided to a potential attacker. </para>
114 <para>
115 The regular case is to install the complete VirtualBox package. The
116 installation must be done with system privileges. All VirtualBox binaries
117 should be executed as a regular user and never as a privileged user.
118 </para>
119 <para>
120 The Oracle VM VirtualBox extension pack provides additional features
121 and must be downloaded and installed separately, see
122 <xref linkend="intro-installing"/>. As for the base package, the SHA256
123 checksum of the extension pack should be verified. As the installation
124 requires system privileges, the VirtualBox GUI will ask for the system
125 password during the installation of the extension pack.
126 </para>
127 </sect2>
128
129 <sect2>
130 <title>Post Installation Configuration</title>
131 <para>
132 Normally there is no post installation configuration of VirtualBox components
133 required. However, on Solaris and Linux hosts it is necessary to configure
134 the proper permissions for users executing VMs and who should be able to
135 access certain host resources. For instance, Linux users must be member of
136 the <emphasis>vboxusers</emphasis> group to be able to pass USB devices to a
137 guest. If a serial host interface should be accessed from a VM, the proper
138 permissions must be granted to the user to be able to access that device.
139 The same applies to other resources like raw partitions, DVD/CD drives
140 and sound devices.
141 </para>
142 </sect2>
143
144 <sect1>
145 <title>Security Features</title>
146 <para>This section outlines the specific security mechanisms offered
147 by VirtualBox.</para>
148
149 <sect2>
150 <title>The Security Model</title>
151 <para>
152 One property of virtual machine monitors (VMMs) like VirtualBox is to encapsulate
153 a guest by executing it in a protected environment, a virtual machine,
154 running as a user process on the host operating system. The guest cannot
155 communicate directly with the hardware or other computers but only through
156 the VMM. The VMM provides emulated physical resources and devices to the
157 guest which are accessed by the guest operating system to perform the required
158 tasks. The VM settings control the resources provided to the guest, for example
159 the amount of guest memory or the number of guest processors, (see
160 <xref linkend="generalsettings"/>) and the enabled features for that guest
161 (for example remote control, certain screen settings and others).
162 </para>
163 </sect2>
164
165 <sect2>
166 <title>Secure Configuration of Virtual Machines</title>
167 <para>
168 Several aspects of a virtual machine configuration are subject to security
169 considerations.</para>
170
171 <sect3>
172 <title>Networking</title>
173 <para>
174 The default networking mode for VMs is NAT which means that
175 the VM acts like a computer behind a router, see
176 <xref linkend="network_nat"/>. The guest is part of a private
177 subnet belonging to this VM and the guest IP is not visible
178 from the outside. This networking mode works without
179 any additional setup and is sufficient for many purposes.
180 </para>
181 <para>
182 If bridged networking is used, the VM acts like a computer inside
183 the same network as the host, see <xref linkend="network_bridged"/>.
184 In this case, the guest has the same network access as the host and
185 a firewall might be necessary to protect other computers on the
186 subnet from a potential malicious guest as well as to protect the
187 guest from a direct access from other computers. In some cases it is
188 worth considering using a forwarding rule for a specific port in NAT
189 mode instead of using bridged networking.
190 </para>
191 <para>
192 Some setups do not require a VM to be connected to the public network
193 at all. Internal networking (see <xref linkend="network_internal"/>)
194 or host-only networking (see <xref linkend="network_hostonly"/>)
195 are often sufficient to connect VMs among each other or to connect
196 VMs only with the host but not with the public network.
197 </para>
198 </sect3>
199
200 <sect3>
201 <title>VRDP remote desktop authentication</title>
202 <para>When using the VirtualBox extension pack provided by Oracle
203 for VRDP remote desktop support, you can optionally use various
204 methods to configure RDP authentication. The "null" method is
205 very insecure and should be avoided in a public network.
206 See <xref linkend="vbox-auth" /> for details.</para>
207 </sect3>
208
209 <sect3>
210 <title>Clipboard</title>
211 <para>
212 The shared clipboard allows users to share data between the host and
213 the guest. Enabling the clipboard in "Bidirectional" mode allows
214 the guest to read and write the host clipboard. The "Host to guest"
215 mode and the "Guest to host" mode limit the access to one
216 direction. If the guest is able to access the host clipboard it
217 could also access sensitive data from the host which is shared over
218 the clipboard.
219 </para>
220 </sect3>
221
222 <sect3>
223 <title>3D graphics acceleration</title>
224 <para>Enabling 3D graphics via the Guest Additions exposes the host
225 to additional security risks; see <xref
226 linkend="guestadd-3d" />.</para>
227 </sect3>
228
229 <sect3>
230 <title>CD/DVD passthrough</title>
231 <para>Enabling CD/DVD passthrough allows the guest to perform advanced
232 operations on the CD/DVD drive, see <xref linkend="storage-cds"/>.
233 This could induce a security risk as a guest could overwrite data
234 on a CD/DVD medium.
235 </para>
236 </sect3>
237
238 <sect3>
239 <title>USB passthrough</title>
240 <para>
241 Passing USB devices to the guest provides the guest full access
242 to these devices, see <xref linkend="settings-usb"/>. For instance,
243 in addition to reading and writing the content of the partitions
244 of an external USB disk the guest will be also able to read and
245 write the partition table and hardware data of that disk.
246 </para>
247 </sect3>
248
249 </sect2>
250
251 <sect2>
252 <title>Configuring and Using Authentication</title>
253
254 <para>The following components of VirtualBox can use passwords for
255 authentication:<itemizedlist>
256
257 <listitem>
258 <para>When using teleporting, passwords can optionally be used to
259 protect a machine waiting to be teleported from unauthorized access.
260 Note however that these passwords are stored <emphasis
261 role="bold">unencrypted</emphasis> in the machine configuration XML
262 and therefore potentially readable on the host. See <xref
263 linkend="teleporting" /> and <xref
264 linkend="vboxmanage-modifyvm-teleport" />.</para>
265 </listitem>
266
267 <listitem>
268 <para>When using remote iSCSI storage and the storage server
269 requires authentication, a password can optionally be supplied with
270 the <computeroutput>VBoxManage storageattach</computeroutput>
271 command. Note however that this is stored <emphasis
272 role="bold">unencrypted</emphasis> in the machine configuration and
273 is therefore potentially readable on the host. See <xref
274 linkend="storage-iscsi" /> and <xref
275 linkend="vboxmanage-storageattach" />.</para>
276 </listitem>
277
278 <listitem>
279 <para>When using the VirtualBox web service to control a VirtualBox
280 host remotely, connections to the web service are authenticated in
281 various ways. This is described in detail in the VirtualBox Software
282 Development Kit (SDK) reference; please see <xref
283 linkend="VirtualBoxAPI" />.</para>
284 </listitem>
285 </itemizedlist></para>
286 </sect2>
287
288 <!--
289 <sect2>
290 <title>Configuring and Using Access Control</title>
291 </sect2>
292
293 <sect2>
294 <title>Configuring and Using Security Audit</title>
295 </sect2>
296
297 <sect2>
298 <title>Congiguring and Using Other Security Features</title>
299 </sect2>
300 -->
301
302 <sect2>
303 <title>Potentially insecure operations</title>
304
305 <para>The following features of VirtualBox can present security
306 problems:<itemizedlist>
307 <listitem>
308 <para>Enabling 3D graphics via the Guest Additions exposes the host
309 to additional security risks; see <xref
310 linkend="guestadd-3d" />.</para>
311 </listitem>
312
313 <listitem>
314 <para>When teleporting a machine, the data stream through which the
315 machine's memory contents are transferred from one host to another
316 is not encrypted. A third party with access to the network through
317 which the data is transferred could therefore intercept that
318 data.</para>
319 </listitem>
320
321 <listitem>
322 <para>When using the VirtualBox web service to control a VirtualBox
323 host remotely, connections to the web service (through which the API
324 calls are transferred via SOAP XML) are not encrypted, but use plain
325 HTTP. This is a potential security risk! For details about the web
326 service, please see <xref linkend="VirtualBoxAPI" />.</para>
327 </listitem>
328
329 <listitem>
330 <para>Traffic sent over a UDP Tunnel network attachment is not
331 encrypted. You can either encrypt it on the host network level (with
332 IPsec), or use encrypted protocols in the guest network (such as
333 SSH). The security properties are similar to bridged Ethernet.</para>
334 </listitem>
335 </itemizedlist></para>
336 </sect2>
337
338 <sect2>
339 <title>Encryption</title>
340
341 <para>The following components of VirtualBox use encryption to protect
342 sensitive data:<itemizedlist>
343 <listitem>
344 <para>When using the VirtualBox extension pack provided by Oracle
345 for VRDP remote desktop support, RDP data can optionally be
346 encrypted. See <xref linkend="vrde-crypt" /> for details. Only
347 the Enhanced RDP Security method (RDP5.2) with TLS protocol
348 provides a secure connection. Standard RDP Security (RDP4 and
349 RDP5.1) is vulnerable to a man-in-the-middle attack.</para>
350 </listitem>
351 </itemizedlist></para>
352 </sect2>
353 </sect1>
354
355 <!--
356 <sect1>
357 <title>Security Considerations for Developers</title>
358 </sect1>
359 -->
360
361</chapter>
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette