VirtualBox

source: vbox/trunk/doc/manual/en_US/user_Security.xml@ 42448

Last change on this file since 42448 was 42448, checked in by vboxsync, 12 years ago

doc/manual: explain the settings password options
  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
File size: 16.3 KB
Line 
1<?xml version="1.0" encoding="UTF-8"?>
2<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
3"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
4<chapter id="Security">
5 <title>Security guide</title>
6
7 <sect1>
8 <title>Overview</title>
9 <para>
10 </para>
11
12 <sect2>
13 <title>General Security Principles</title>
14
15 <para>The following principles are fundamental to using any application
16 securely.
17 <glosslist>
18 <glossentry>
19 <glossterm>Keep Software Up To Date</glossterm>
20 <glossdef>
21 <para>
22 One of the principles of good security practise is to keep all
23 software versions and patches up to date. Activate the VirtualBox
24 update notification to get notified when a new VirtualBox release
25 is available. When updating VirtualBox, do not forget to update
26 the Guest Additions. Keep the host operating system as well as the
27 guest operating system up to date.
28 </para>
29 </glossdef>
30 </glossentry>
31
32 <glossentry>
33 <glossterm>Restrict Network Access to Critical Services</glossterm>
34 <glossdef>
35 <para>
36 Use proper means, for instance a firewall, to protect your computer
37 and your guest(s) from accesses from the outside. Choosing the proper
38 networking mode for VMs helps to separate host networking from the
39 guest and vice versa.
40 </para>
41 </glossdef>
42 </glossentry>
43
44 <glossentry>
45 <glossterm>Follow the Principle of Least Privilege</glossterm>
46 <glossdef>
47 <para>
48 The principle of least privilege states that users should be given the
49 least amount of privilege necessary to perform their jobs. Always execute VirtualBox
50 as a regular user. We strongly discourage anyone from executing
51 VirtualBox with system privileges.
52 </para>
53 <para>
54 Choose restrictive permissions when creating configuration files,
55 for instance when creating /etc/default/virtualbox, see
56 <xref linkend="linux_install_opts"/>. Mode 0600 would be preferred.
57 </para>
58 </glossdef>
59 </glossentry>
60
61 <glossentry>
62 <glossterm>Monitor System Activity</glossterm>
63 <glossdef>
64 <para>
65 System security builds on three pillars: good security protocols, proper
66 system configuration and system monitoring. Auditing and reviewing audit
67 records address the third requirement. Each component within a system
68 has some degree of monitoring capability. Follow audit advice in this
69 document and regularly monitor audit records.
70 </para>
71 </glossdef>
72 </glossentry>
73
74 <glossentry>
75 <glossterm>Keep Up To Date on Latest Security Information</glossterm>
76 <glossdef>
77 <para>
78 Oracle continually improves its software and documentation. Check this
79 note note yearly for revisions.
80 </para>
81 </glossdef>
82 </glossentry>
83
84 </glosslist>
85 </para>
86 </sect2>
87 </sect1>
88
89 <sect1>
90 <title>Secure Installation and Configuration</title>
91 </sect1>
92
93 <sect2>
94 <title>Installation Overview</title>
95 <para>
96 The VirtualBox base package should be downloaded only from a trusted source,
97 for instance the official website
98 <ulink url="http://www.virtualbox.org">http://www.virtualbox.org</ulink>.
99 The integrity of the package should be verified with the provided SHA256
100 checksum which can be found on the official website.
101 </para>
102 <para>
103 General VirtualBox installation instructions for the supported hosts
104 can be found in <xref linkend="installation"/>.
105 </para>
106 <para>
107 On Windows hosts, the installer allows for disabling USB support, support
108 for bridged networking, support for host-only networking and the Python
109 language bindings, see <xref linkend="installation_windows"/>.
110 All these features are enabled by default but disabling some
111 of them could be appropriate if the corresponding functionality is not
112 required by any virtual machine. The Python language bindings are only
113 required if the VirtualBox API is to be used by external Python
114 applications. In particular USB support and support
115 for the two networking modes require the installation of Windows kernel
116 drivers on the host. Therefore disabling those selected features can
117 not only be used to restrict the user to certain functionality but
118 also to minimize the surface provided to a potential attacker. </para>
119 <para>
120 The general case is to install the complete VirtualBox package. The
121 installation must be done with system privileges. All VirtualBox binaries
122 should be executed as a regular user and never as a privileged user.
123 </para>
124 <para>
125 The Oracle VM VirtualBox extension pack provides additional features
126 and must be downloaded and installed separately, see
127 <xref linkend="intro-installing"/>. As for the base package, the SHA256
128 checksum of the extension pack should be verified. As the installation
129 requires system privileges, VirtualBox will ask for the system
130 password during the installation of the extension pack.
131 </para>
132 </sect2>
133
134 <sect2>
135 <title>Post Installation Configuration</title>
136 <para>
137 Normally there is no post installation configuration of VirtualBox components
138 required. However, on Solaris and Linux hosts it is necessary to configure
139 the proper permissions for users executing VMs and who should be able to
140 access certain host resources. For instance, Linux users must be member of
141 the <emphasis>vboxusers</emphasis> group to be able to pass USB devices to a
142 guest. If a serial host interface should be accessed from a VM, the proper
143 permissions must be granted to the user to be able to access that device.
144 The same applies to other resources like raw partitions, DVD/CD drives
145 and sound devices.
146 </para>
147 </sect2>
148
149 <sect1>
150 <title>Security Features</title>
151 <para>This section outlines the specific security mechanisms offered
152 by VirtualBox.</para>
153
154 <sect2>
155 <title>The Security Model</title>
156 <para>
157 One property of virtual machine monitors (VMMs) like VirtualBox is to encapsulate
158 a guest by executing it in a protected environment, a virtual machine,
159 running as a user process on the host operating system. The guest cannot
160 communicate directly with the hardware or other computers but only through
161 the VMM. The VMM provides emulated physical resources and devices to the
162 guest which are accessed by the guest operating system to perform the required
163 tasks. The VM settings control the resources provided to the guest, for example
164 the amount of guest memory or the number of guest processors, (see
165 <xref linkend="generalsettings"/>) and the enabled features for that guest
166 (for example remote control, certain screen settings and others).
167 </para>
168 </sect2>
169
170 <sect2>
171 <title>Secure Configuration of Virtual Machines</title>
172 <para>
173 Several aspects of a virtual machine configuration are subject to security
174 considerations.</para>
175
176 <sect3>
177 <title>Networking</title>
178 <para>
179 The default networking mode for VMs is NAT which means that
180 the VM acts like a computer behind a router, see
181 <xref linkend="network_nat"/>. The guest is part of a private
182 subnet belonging to this VM and the guest IP is not visible
183 from the outside. This networking mode works without
184 any additional setup and is sufficient for many purposes.
185 </para>
186 <para>
187 If bridged networking is used, the VM acts like a computer inside
188 the same network as the host, see <xref linkend="network_bridged"/>.
189 In this case, the guest has the same network access as the host and
190 a firewall might be necessary to protect other computers on the
191 subnet from a potential malicious guest as well as to protect the
192 guest from a direct access from other computers. In some cases it is
193 worth considering using a forwarding rule for a specific port in NAT
194 mode instead of using bridged networking.
195 </para>
196 <para>
197 Some setups do not require a VM to be connected to the public network
198 at all. Internal networking (see <xref linkend="network_internal"/>)
199 or host-only networking (see <xref linkend="network_hostonly"/>)
200 are often sufficient to connect VMs among each other or to connect
201 VMs only with the host but not with the public network.
202 </para>
203 </sect3>
204
205 <sect3>
206 <title>VRDP remote desktop authentication</title>
207 <para>When using the VirtualBox extension pack provided by Oracle
208 for VRDP remote desktop support, you can optionally use various
209 methods to configure RDP authentication. The "null" method is
210 very insecure and should be avoided in a public network.
211 See <xref linkend="vbox-auth" /> for details.</para>
212 </sect3>
213
214 <sect3 id="security_clipboard">
215 <title>Clipboard</title>
216 <para>
217 The shared clipboard allows users to share data between the host and
218 the guest. Enabling the clipboard in "Bidirectional" mode allows
219 the guest to read and write the host clipboard. The "Host to guest"
220 mode and the "Guest to host" mode limit the access to one
221 direction. If the guest is able to access the host clipboard it
222 can also potentially access sensitive data from the host which is
223 shared over the clipboard.
224 </para>
225 <para>
226 If the guest is able to read from and/or write to the host clipboard
227 then a remote user connecting to the guest over the network will also
228 gain this ability, which may not be desirable. As a consequence, the
229 shared clipboard is disabled for new machines.
230 </para>
231 </sect3>
232
233 <sect3>
234 <title>Shared folders</title>
235 <para>If any host folder is shared with the guest then a remote
236 user connected to the guest over the network can access
237 these files too as the folder sharing mechanism cannot be
238 selectively disabled for remote users.
239 </para>
240 </sect3>
241
242 <sect3>
243 <title>3D graphics acceleration</title>
244 <para>Enabling 3D graphics via the Guest Additions exposes the host
245 to additional security risks; see <xref
246 linkend="guestadd-3d" />.</para>
247 </sect3>
248
249 <sect3>
250 <title>CD/DVD passthrough</title>
251 <para>Enabling CD/DVD passthrough allows the guest to perform advanced
252 operations on the CD/DVD drive, see <xref linkend="storage-cds"/>.
253 This could induce a security risk as a guest could overwrite data
254 on a CD/DVD medium.
255 </para>
256 </sect3>
257
258 <sect3>
259 <title>USB passthrough</title>
260 <para>
261 Passing USB devices to the guest provides the guest full access
262 to these devices, see <xref linkend="settings-usb"/>. For instance,
263 in addition to reading and writing the content of the partitions
264 of an external USB disk the guest will be also able to read and
265 write the partition table and hardware data of that disk.
266 </para>
267 </sect3>
268
269 </sect2>
270
271 <sect2>
272 <title>Configuring and Using Authentication</title>
273
274 <para>The following components of VirtualBox can use passwords for
275 authentication:<itemizedlist>
276
277 <listitem>
278 <para>When using remote iSCSI storage and the storage server
279 requires authentication, an initiator secret can optionally be supplied
280 with the <computeroutput>VBoxManage storageattach</computeroutput>
281 command. As long as no settings password is provided (command line
282 option <screen>--settingspwfile</screen>, this secret is
283 stored <emphasis role="bold">unencrypted</emphasis> in the machine
284 configuration and is therefore potentially readable on the host.
285 See <xref
286 linkend="storage-iscsi" /> and <xref
287 linkend="vboxmanage-storageattach" />.</para>
288 </listitem>
289
290 <listitem>
291 <para>When using the VirtualBox web service to control a VirtualBox
292 host remotely, connections to the web service are authenticated in
293 various ways. This is described in detail in the VirtualBox Software
294 Development Kit (SDK) reference; please see <xref
295 linkend="VirtualBoxAPI" />.</para>
296 </listitem>
297 </itemizedlist></para>
298 </sect2>
299
300 <!--
301 <sect2>
302 <title>Configuring and Using Access Control</title>
303 </sect2>
304
305 <sect2>
306 <title>Configuring and Using Security Audit</title>
307 </sect2>
308
309 <sect2>
310 <title>Congiguring and Using Other Security Features</title>
311 </sect2>
312 -->
313
314 <sect2>
315 <title>Potentially insecure operations</title>
316
317 <para>The following features of VirtualBox can present security
318 problems:<itemizedlist>
319 <listitem>
320 <para>Enabling 3D graphics via the Guest Additions exposes the host
321 to additional security risks; see <xref
322 linkend="guestadd-3d" />.</para>
323 </listitem>
324
325 <listitem>
326 <para>When teleporting a machine, the data stream through which the
327 machine's memory contents are transferred from one host to another
328 is not encrypted. A third party with access to the network through
329 which the data is transferred could therefore intercept that
330 data. An SSH tunnel could be used to secure the connection between
331 the two hosts. But when considering teleporting a VM over an untrusted
332 network the first question to answer is how both VMs can securely
333 access the same virtual disk image(s) with a reasonable performance. </para>
334 </listitem>
335
336 <listitem>
337 <para>When using the VirtualBox web service to control a VirtualBox
338 host remotely, connections to the web service (through which the API
339 calls are transferred via SOAP XML) are not encrypted, but use plain
340 HTTP by default. This is a potential security risk! For details about
341 the web service, please see <xref linkend="VirtualBoxAPI" />.</para>
342 <para>The web services are not started by default. Please refer to
343 <xref linkend="vboxwebsrv-daemon"/> to find out how to start this
344 service and how to enable SSL/TLS support. It has to be started as
345 a regular user and only the VMs of that user can be controled. By
346 default, the service binds to localhost preventing any remote connection.</para>
347 </listitem>
348
349 <listitem>
350 <para>Traffic sent over a UDP Tunnel network attachment is not
351 encrypted. You can either encrypt it on the host network level (with
352 IPsec), or use encrypted protocols in the guest network (such as
353 SSH). The security properties are similar to bridged Ethernet.</para>
354 </listitem>
355 </itemizedlist></para>
356 </sect2>
357
358 <sect2>
359 <title>Encryption</title>
360
361 <para>The following components of VirtualBox use encryption to protect
362 sensitive data:<itemizedlist>
363 <listitem>
364 <para>When using the VirtualBox extension pack provided by Oracle
365 for VRDP remote desktop support, RDP data can optionally be
366 encrypted. See <xref linkend="vrde-crypt" /> for details. Only
367 the Enhanced RDP Security method (RDP5.2) with TLS protocol
368 provides a secure connection. Standard RDP Security (RDP4 and
369 RDP5.1) is vulnerable to a man-in-the-middle attack.</para>
370 </listitem>
371 </itemizedlist></para>
372 </sect2>
373 </sect1>
374
375 <!--
376 <sect1>
377 <title>Security Considerations for Developers</title>
378 </sect1>
379 -->
380
381</chapter>
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette