Restricting Shared Drives under Windows Virtual PC

Restricting Shared Drives under Windows Virtual PC

  • Comments 12

When it comes to minimizing the potential for malicious software running in a virtual machine to affect your physical computer, there are two golden rules to follow:

  • Secure the virtual machine just like you would a physical computer.  This means installing antivirus / anti-malware software, configuring firewalls, regularly installing updates, etc…

  • Reduce the potential paths for the virtual machine to access your physical computer.

In the latter category there are three common paths:

  • Standard networking.  Here the risk is no greater (or lesser) than if you had a separate computer connected to the same network.

  • Clipboard sharing.  When integration components are enabled, any data that is put into the virtual machines clipboard is automatically copied to the physical computers clipboard (and vice versa).  The potential for risk here is relatively low – but if it is a concern for you – you can easily disable this feature under the virtual machine settings.

  • Shared Drives.  Shared drives allow the virtual machine to access the drives of the physical computer – without needing a network connection to be present.  This functionality is critical for most people who use Virtual PC – but it is also an obvious path for malicious software to get to data on the physical computer from inside the virtual machine.  As such I would like to spend some time talking about how to restrict this functionality appropriately.

The first thing to know is that you can configure drive sharing so that only specific drives are shared:

 integration

You should always make sure that this setting is configured appropriately for your environment. 

But what if you do not want to share and entire drive?  What if you just want to share a single folder? 

Well, I have found a handy method to do just this.  It is a little cheesy, but it allows you to drastically reduce the surface area that is exposed.  Basically – what you need to do is to create the folder that you want to share, open a command prompt, and run the following command:

subst j: c:\MySharedFolder

This creates a “virtual” drive that points to the folder you created (in this case I am mapping “C:\MySharedFolder” to J: – but obviously you can use any drive letter or folder that you want to use).  You can then map this drive into the virtual machine:

Cheers,
Ben

Leave a Comment
  • Please add 3 and 7 and type the answer here:
  • Post
  • "Reduce the potential paths for the virtual machine to access your physical computer" In such a case, putting back drag and drop should be more secure than folder sharing right? PLEASE PUT IT BACK!

  • You guy are really slacking... I mean, how hard is it to share by folder?

    VMware allows me to share any number of folders and set some as read-only is need be. That is much more useful in terms of exposing only what I want,especially to untrusted VMs. In the old days of Virual PC on the Mac, you know before Microsoft dropped it was too much effort for a market that they couldn't be certain they could dominate, it supported sharing by folder rather than just drive. I thought the early PC port was the same, but I guess the interface was too hard to maitain so it went the way of the floppy drive or something.

    Also, your kludge sucks. Your host can only have 26 drive letters. A and b are basically dead unless you have a floppy. C is pretty much taken and most people have some optical. So, max 22 is a reasonable assumption, which are then devided amongst all removable media (or slots, last time I attached a mutil-format flash reader to Windows it used 4 letters, 1 per slot), all network drives, and all your subst remounts. Those drive letters will get used up very fast with multiple VMs each with multiple folders.

  • powershell / not a slacker -

    Yup, I agree that it would be great to have drag-and-drop back as well as the ability to share just a folder.  

    The reason why these changes have happened is because we have moved to using the Remote Desktop code for virtual machine integration - which was not at completely at parity with the old Virtual PC functionality.

    That said - the old folder sharing code had a lot of reliability / functionality issues - and I have found the Remote Desktop disk sharing to be a lot more reliable.

    Cheers,

    Ben

  • I knew it is off this topic. But I need help. I upgraded to Windows 7 from Vista, however, I can not see VP from the program and features, when I installing VP 2007, it says that it is not compatible with Vindodws 7, I have been looking for a solution for some time. I  would like to install Windows 2008 server on my laptop, which is upgraded to windows 7, I would like to use VPC or Virtual server, please let me know what I can to do. I signed up for micrisoft WebSpark program, I would like to develop asp.net, sharepoint service on virtual machines,

    Thanks in advance!

  • Too bad the JOIN.EXE command no more exist. That would have allow an access to a drive as a directory of virtual machine.

  • The method described here allows copying files between the Windows 7 and Windows XP, but how do you access Windows 7 files from a Windows XP command prompt?

  • I found out how to do the above using Tools/"Map Network Drive" in Windows Explorer on Windows XP.  What I haven't figured out how to do is how to access the files in Windows XP from Windows 7.

  • In my case I'm not seeing the host drives.  I just see System Folder type.  Does anybody know?

  • I have same problem can't see host drives? I have checked c:\ in settings on my virtual pc but when I restart it does not see my host drive very strange?

  • I have a hard time seeing how Microsoft could have released Windows Virtual PC at all. The product does not even rate Beta quality. the integration features are totally broken. On four or five separate guests I have been unable to get any integration features to work at all. The help doesn't actually match the product. Mapping USB drives blue screens the guest. It fails to understand the difference between credentials on the guest and credentials on the host (no, the domain admin account from the host won't work on a non-domain joined guest). Video performance is about 1/4 of that in VPC 2007. Other than hitting the arbitrary holiday season cut-off, what exactly was the shipping criteria for this product?

  • There's one part I don't understand. With traditional RDP (using mstsc), I can copy-n-paste files between local and remote. But with Virtual PC, I can't copy-n-paste files between host and VM if I don't have my system drive shared.

    Is it a reason for this restriction?

  • We are trying to lock down our Windows XP Mode virtual machine.  How can you hide the toolbar when the machine is launched that allows the end user (non-admin) to make changes.  I know in Virtual PC 2007, under display you can hide the menu bar and status bar and then prevent non-admins from making changes (http://blogs.msdn.com/virtual_pc_guy/archive/2006/05/22/602866.aspx) per your instructions.  I cannot for the life of me figure out how to do this in Windows Virtual PC. I want the end user to boot the guest OS and have no interaction with the host machine.

Page 1 of 1 (12 items)