Virtual PC Guy's Blog

-- Ben Armstrong, Virtualization Program Manager

Talking about core virtualization at Microsoft (Hyper-V, Virtual PC and Virtual Server).
Welcome to MSDN Blogs Sign in | Join | Help

Restricting Shared Drives under Windows Virtual PC

When it comes to minimizing the potential for malicious software running in a virtual machine to affect your physical computer, there are two golden rules to follow:

  • Secure the virtual machine just like you would a physical computer.  This means installing antivirus / anti-malware software, configuring firewalls, regularly installing updates, etc…

  • Reduce the potential paths for the virtual machine to access your physical computer.

In the latter category there are three common paths:

  • Standard networking.  Here the risk is no greater (or lesser) than if you had a separate computer connected to the same network.

  • Clipboard sharing.  When integration components are enabled, any data that is put into the virtual machines clipboard is automatically copied to the physical computers clipboard (and vice versa).  The potential for risk here is relatively low – but if it is a concern for you – you can easily disable this feature under the virtual machine settings.

  • Shared Drives.  Shared drives allow the virtual machine to access the drives of the physical computer – without needing a network connection to be present.  This functionality is critical for most people who use Virtual PC – but it is also an obvious path for malicious software to get to data on the physical computer from inside the virtual machine.  As such I would like to spend some time talking about how to restrict this functionality appropriately.

The first thing to know is that you can configure drive sharing so that only specific drives are shared:

 integration

You should always make sure that this setting is configured appropriately for your environment. 

But what if you do not want to share and entire drive?  What if you just want to share a single folder? 

Well, I have found a handy method to do just this.  It is a little cheesy, but it allows you to drastically reduce the surface area that is exposed.  Basically – what you need to do is to create the folder that you want to share, open a command prompt, and run the following command:

subst j: c:\MySharedFolder

This creates a “virtual” drive that points to the folder you created (in this case I am mapping “C:\MySharedFolder” to J: – but obviously you can use any drive letter or folder that you want to use).  You can then map this drive into the virtual machine:

Cheers,
Ben

Published Wednesday, November 04, 2009 8:53 PM by Virtual PC Guy

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

# re: Restricting Shared Drives under Windows Virtual PC

"Reduce the potential paths for the virtual machine to access your physical computer" In such a case, putting back drag and drop should be more secure than folder sharing right? PLEASE PUT IT BACK!

Thursday, November 05, 2009 7:12 AM by powershell

# re: Restricting Shared Drives under Windows Virtual PC

You guy are really slacking... I mean, how hard is it to share by folder?

VMware allows me to share any number of folders and set some as read-only is need be. That is much more useful in terms of exposing only what I want,especially to untrusted VMs. In the old days of Virual PC on the Mac, you know before Microsoft dropped it was too much effort for a market that they couldn't be certain they could dominate, it supported sharing by folder rather than just drive. I thought the early PC port was the same, but I guess the interface was too hard to maitain so it went the way of the floppy drive or something.

Also, your kludge sucks. Your host can only have 26 drive letters. A and b are basically dead unless you have a floppy. C is pretty much taken and most people have some optical. So, max 22 is a reasonable assumption, which are then devided amongst all removable media (or slots, last time I attached a mutil-format flash reader to Windows it used 4 letters, 1 per slot), all network drives, and all your subst remounts. Those drive letters will get used up very fast with multiple VMs each with multiple folders.

Thursday, November 05, 2009 9:13 AM by not a slacker

# re: Restricting Shared Drives under Windows Virtual PC

powershell / not a slacker -

Yup, I agree that it would be great to have drag-and-drop back as well as the ability to share just a folder.  

The reason why these changes have happened is because we have moved to using the Remote Desktop code for virtual machine integration - which was not at completely at parity with the old Virtual PC functionality.

That said - the old folder sharing code had a lot of reliability / functionality issues - and I have found the Remote Desktop disk sharing to be a lot more reliable.

Cheers,

Ben

Tuesday, November 10, 2009 2:47 AM by Virtual PC Guy

# re: Restricting Shared Drives under Windows Virtual PC

I knew it is off this topic. But I need help. I upgraded to Windows 7 from Vista, however, I can not see VP from the program and features, when I installing VP 2007, it says that it is not compatible with Vindodws 7, I have been looking for a solution for some time. I  would like to install Windows 2008 server on my laptop, which is upgraded to windows 7, I would like to use VPC or Virtual server, please let me know what I can to do. I signed up for micrisoft WebSpark program, I would like to develop asp.net, sharepoint service on virtual machines,

Thanks in advance!

Monday, November 16, 2009 7:10 AM by Yuwen

# re: Restricting Shared Drives under Windows Virtual PC

Too bad the JOIN.EXE command no more exist. That would have allow an access to a drive as a directory of virtual machine.

Thursday, November 19, 2009 5:47 AM by Michel

# re: Restricting Shared Drives under Windows Virtual PC

The method described here allows copying files between the Windows 7 and Windows XP, but how do you access Windows 7 files from a Windows XP command prompt?

Wednesday, December 02, 2009 4:06 PM by Samuel Figueroa

# re: Restricting Shared Drives under Windows Virtual PC

I found out how to do the above using Tools/"Map Network Drive" in Windows Explorer on Windows XP.  What I haven't figured out how to do is how to access the files in Windows XP from Windows 7.

Thursday, December 03, 2009 11:55 AM by Samuel Figueroa

Leave a Comment

(required) 
required 
(required) 

  
Enter Code Here: Required
 
Page view tracker