This page has been converted to an itinfo article. To avoid version skew, please contact aurora@mit.edu with any changes

Overview

We strongly recommend treating each virtual machine as if it was a physical machine for most activities. Virtual machines are vulnerable to most of the same things as physical machines including data loss/corruption, hardware failures, viruses, and hackers. Install and use virus scanning software. Take regular updates to your operating system, preferably via an automatic update system. Make regular backups of important data. Follow the recommended best practices for your guest operating system. In most cases, simply treat your virtual workstation as you would any other machine.

Best Practices 

  • Don't register a virtual machine for DHCP on wireless.
  • When copying or backing up a VM image:
    • Make sure the virtual machine is powered off.
    • Do not copy the lockfile directory (the only subdirectory that ends in ".lck").
  • When restoring from backup use move, not copy.  This prevents issues with duplicate Mac Addresses on the same network.
  • Treat each VM as a standalone computer for security purposes.  Install virus scanning software.  Take regular OS updates.
  • Enable "Time synchronization between the virtual machine and the host operating system" via the VMware Tools installed on the virtual machine.
  • Networking: use NAT Networking.  This should be the default setting for your virtual machines.
    Advanced users, particularly running Linux guests, may discover they want or need to deal with the additional complexity of setting up a Bridged network interface.
  • Carefully plan your disk allocations. Do not over-allocate your disk. It is dangerous to tell VMware to make images that, if they all grew to their full size, would take up more disk space than you have free. If this happens, VMware may pop up an alert warning you when you're about to use up more space than you have. That would give you a chance to free up disk space or exit cleanly. We don't recommend relying on the warning. There's no guarantee it will appear before bad things (data loss or corruption) happen.

Backups 

The importance of backing up your data cannot be stressed enough.  Virtual machines are at just as much risk, if not more, for data loss due to hardware failure, file corruption, system compromise, and other events.  If data loss happens, a backup can make a world of difference in recovering from such an event.  How you use your virtual machine will determine the best way to do backups for your virtual machines. 

  1. You have important software/data in the VM (research, data, etc) - Install TSM within your virtual machine and have it run regular backups of the data within your virtual machine.  This method does not preserve your virtual machine, just the data within it.
  2. Your VM is an appliance- We recommend that the sys admin manually makes backups.  Drag and copy it somewhere (IE: an external drive). Exclude your VM files from regular backups via TSM.  See items 2 and 3 below for reasons.  For more information, see: Q. I want to make a backup/copy of my virtual machine. What is the best way to do so?

Things to note regarding virtual machine backups:

  1. A virtual machine image is actually comprised of several files.  All of those have to be in sync or behavior is erratic.
  2. From outside the virtual machine (host machine), if a backup is made when the virtual machine is running, the results are inconsistent.  Backup your virtual machine files on the host machine when the virtual machine is not running.
  3. To backup virtual machines using Mac OS X 10.5's Time Machine, users will need to be running Mac OS X 10.5.2 or later.  When backed up using Time Machine, virtual machines are duplicated and may take up considerable space on your backup drive.

Security Recommendations

 We strongly recommend you treat each virtual machine as though it is a real machine for the purposes of security.

  • Install Anti-Virus Software
    While MIT does its best to prevent virus attacks, no computer is immune to them. To encourage protection of your computer, MIT provides anti-virus software for free.
    For more information about virus protection at MIT, see: http://web.mit.edu/ist/topics/virus/.
  • Utilize Anti-Spyware Software
    While virus protection software offers some protection from spyware, we recommend using MS Defender on your Windows virtual machines for additional protection.  For more information about spyware, see: Dealing with Spyware and Other Malware
  • Choose Strong Passwords
    Weak passwords can be guessed, thus giving someone else access to your files and your system. Create passwords that are at least eight
    characters long, containing numbers, upper and lower case letters, and symbols. More information on creating strong passwords can be found at
    http://web.mit.edu/ist/topics/network/passwords.html.
  • Follow Security Recommendations
    IS&T provides platform-specific security recommendations to address security concerns with each operating system.  See: Security Recommendations by Platform
  • Keep your Operating Systems Updated
    It is equally important to keep your host and virtual operating systems updated as compromises can occur in either kind of system.  Install operating system security updates to keep your system current and protected from known vulnerabilities.  We strongly recommend utilizing automatic updates, but note that virtual systems can only take updates when they are running.  If your virtual system has not been started in some time (or is rarely left running long enough to take an update), we recommend you run a manual update as soon as you start your virtual system.  For more information, see: MIT Windows Automatic Update Service  Red Hat Network and Update Services: Macintosh
  • Maintain Like Risk Postures for All Machines (Virtual and Host)
    Your system is only as secure as the least secure virtual or host machine.  All guests on a host machine should have like risk posture - same level of accessibility, data sensitivity and level of protection.  If the any guest is more vulnerable than other guests or your host, it could be an entry to compromise the rest of your system. 
  • Limit Host Access
    Access to the host should be limited (firewalled off).
  • Snapshots of Virtual Machines
    When taking a snapshot of a virtual machine and then branching off, make sure to save the image at the instance before the branch (the trunk) rather than at the branch level to ensure security patches are most up to date.

Security Risks Specific to Virtual Machines

While virtual machines are at risk of all the same things as any other machine, you should be aware of a few additional issues.

  • If a host is compromised, scripts can be run on the host that can interact with the guest at whatever privilege level the guest is logged in as. This can result in malicious trojans being installed on the host and guest machines.
  • A virtual machine that is not virus protected, compromised, and in a shared networking configuration can be used by an attacker to scan both the private and public address spaces. The other virtual machines on the host (if not patched) can also be exploited via the network, so a software firewall on each of the guests is recommended.
  • (Enterprise version) When turning on shared folders, they can be accessed through a compromised guest.  Files can then be placed on the host and attackers can access other guests' file systems.
  • No labels