4086N/A<?
xml version="1.0" encoding="UTF-8"?>
5636N/A<!
DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" 4086N/A <
title>Security guide</
title>
4086N/A <
title>General Security Principles</
title>
4086N/A <
para>The following principles are fundamental to using any application
4086N/A <
glossterm>Keep Software Up To Date</
glossterm>
4086N/A One of the principles of good security practise is to keep all
4086N/A software versions and patches up to date. Activate the VirtualBox
4086N/A update notification to get notified when a new VirtualBox release
4086N/A is available. When updating VirtualBox, do not forget to update
4086N/A the Guest Additions. Keep the host operating system as well as the
4086N/A guest operating system up to date.
4086N/A <
glossterm>Restrict Network Access to Critical Services</
glossterm>
4086N/A Use proper means, for instance a firewall, to protect your computer
4086N/A and your guest(s) from accesses from the outside. Choosing the proper
4086N/A networking mode for VMs helps to separate host networking from the
4086N/A <
glossterm>Follow the Principle of Least Privilege</
glossterm>
4086N/A The principle of least privilege states that users should be given the
4086N/A least amount of privilege necessary to perform their jobs. Always execute VirtualBox
4086N/A as a regular user. We strongly discourage anyone from executing
4086N/A VirtualBox with system privileges.
4086N/A Choose restrictive permissions when creating configuration files,
4086N/A <
xref linkend="linux_install_opts"/>. Mode 0600 would be preferred.
4086N/A <
glossterm>Monitor System Activity</
glossterm>
4086N/A System security builds on three pillars: good security protocols, proper
4086N/A system configuration and system monitoring. Auditing and reviewing audit
4086N/A records address the third requirement. Each component within a system
4086N/A has some degree of monitoring capability. Follow audit advice in this
4086N/A document and regularly monitor audit records.
4086N/A <
glossterm>Keep Up To Date on Latest Security Information</
glossterm>
4086N/A Oracle continually improves its software and documentation. Check this
4086N/A note note yearly for revisions.
4086N/A <
title>Secure Installation and Configuration</
title>
4086N/A <
title>Installation Overview</
title>
4086N/A The VirtualBox base package should be downloaded only from a trusted source,
4086N/A for instance the official website
4086N/A The integrity of the package should be verified with the provided SHA256
4086N/A checksum which can be found on the official website.
4086N/A General VirtualBox installation instructions for the supported hosts
4086N/A can be found in <
xref linkend="installation"/>.
4086N/A On Windows hosts, the installer allows for disabling USB support, support
4086N/A for bridged networking, support for host-only networking and the Python
4086N/A language bindings, see <
xref linkend="installation_windows"/>.
4086N/A All these features are enabled by default but disabling some
4086N/A of them could be appropriate if the corresponding functionality is not
4086N/A required by any virtual machine. The Python language bindings are only
4086N/A required if the VirtualBox API is to be used by external Python
4086N/A applications. In particular USB support and support
4086N/A for the two networking modes require the installation of Windows kernel
4086N/A drivers on the host. Therefore disabling those selected features can
4086N/A not only be used to restrict the user to certain functionality but
4086N/A also to minimize the surface provided to a potential attacker. </
para>
4086N/A The general case is to install the complete VirtualBox package. The
4086N/A installation must be done with system privileges. All VirtualBox binaries
4086N/A should be executed as a regular user and never as a privileged user.
4086N/A The Oracle VM VirtualBox extension pack provides additional features
4086N/A and must be downloaded and installed separately, see
4086N/A <
xref linkend="intro-installing"/>. As for the base package, the SHA256
4086N/A checksum of the extension pack should be verified. As the installation
4086N/A requires system privileges, VirtualBox will ask for the system
4086N/A password during the installation of the extension pack.
4086N/A <
title>Post Installation Configuration</
title>
4086N/A Normally there is no post installation configuration of VirtualBox components
4086N/A required. However, on Solaris and Linux hosts it is necessary to configure
4086N/A the proper permissions for users executing VMs and who should be able to
4086N/A access certain host resources. For instance, Linux users must be member of
4086N/A the <
emphasis>vboxusers</
emphasis> group to be able to pass USB devices to a
4086N/A guest. If a serial host interface should be accessed from a VM, the proper
4086N/A permissions must be granted to the user to be able to access that device.
4086N/A The same applies to other resources like raw partitions,
DVD/
CD drives
4086N/A <
title>Security Features</
title>
4086N/A <
para>This section outlines the specific security mechanisms offered
4086N/A <
title>The Security Model</
title>
4086N/A One property of virtual machine monitors (VMMs) like VirtualBox is to encapsulate
4086N/A a guest by executing it in a protected environment, a virtual machine,
4086N/A running as a user process on the host operating system. The guest cannot
4086N/A communicate directly with the hardware or other computers but only through
4086N/A the VMM. The VMM provides emulated physical resources and devices to the
4086N/A guest which are accessed by the guest operating system to perform the required
4086N/A tasks. The VM settings control the resources provided to the guest, for example
4086N/A the amount of guest memory or the number of guest processors, (see
4086N/A <
xref linkend="generalsettings"/>) and the enabled features for that guest
4086N/A (for example remote control, certain screen settings and others).
4086N/A <
title>Secure Configuration of Virtual Machines</
title>
4086N/A Several aspects of a virtual machine configuration are subject to security
4086N/A The default networking mode for VMs is NAT which means that
4086N/A the VM acts like a computer behind a router, see
4086N/A <
xref linkend="network_nat"/>. The guest is part of a private
4086N/A subnet belonging to this VM and the guest IP is not visible
4086N/A from the outside. This networking mode works without
4086N/A any additional setup and is sufficient for many purposes.
4086N/A If bridged networking is used, the VM acts like a computer inside
4086N/A the same network as the host, see <
xref linkend="network_bridged"/>.
4086N/A In this case, the guest has the same network access as the host and
4086N/A a firewall might be necessary to protect other computers on the
4086N/A subnet from a potential malicious guest as well as to protect the
4086N/A guest from a direct access from other computers. In some cases it is
4086N/A worth considering using a forwarding rule for a specific port in NAT
4086N/A mode instead of using bridged networking.
4086N/A Some setups do not require a VM to be connected to the public network
4086N/A at all. Internal networking (see <
xref linkend="network_internal"/>)
4086N/A or host-only networking (see <
xref linkend="network_hostonly"/>)
4086N/A are often sufficient to connect VMs among each other or to connect
4086N/A VMs only with the host but not with the public network.
4086N/A <
title>VRDP remote desktop authentication</
title>
4086N/A <
para>When using the VirtualBox extension pack provided by Oracle
4086N/A for VRDP remote desktop support, you can optionally use various
4086N/A methods to configure RDP authentication. The "null" method is
4086N/A very insecure and should be avoided in a public network.
4086N/A See <
xref linkend="vbox-auth" /> for details.</
para>
4086N/A <
sect3 id="security_clipboard">
4086N/A The shared clipboard allows users to share data between the host and
4086N/A the guest. Enabling the clipboard in "Bidirectional" mode allows
4086N/A the guest to read and write the host clipboard. The "Host to guest"
4086N/A mode and the "Guest to host" mode limit the access to one
4086N/A direction. If the guest is able to access the host clipboard it
4086N/A can also potentially access sensitive data from the host which is
4086N/A If the guest is able to read from
and/
or write to the host clipboard
4086N/A then a remote user connecting to the guest over the network will also
4086N/A gain this ability, which may not be desirable. As a consequence, the
4086N/A shared clipboard is disabled for new machines.
4086N/A <
title>Shared folders</
title>
4086N/A <
para>If any host folder is shared with the guest then a remote
4086N/A user connected to the guest over the network can access
4086N/A these files too as the folder sharing mechanism cannot be
4086N/A selectively disabled for remote users.
4086N/A <
title>3D graphics acceleration</
title>
4086N/A <
para>Enabling 3D graphics via the Guest Additions exposes the host
4086N/A to additional security risks; see <
xref 4086N/A linkend="guestadd-3d" />.</
para>
4086N/A <
para>Enabling
CD/
DVD passthrough allows the guest to perform advanced
4086N/A operations on the
CD/
DVD drive, see <
xref linkend="storage-cds"/>.
4086N/A This could induce a security risk as a guest could overwrite data
4086N/A <
title>USB passthrough</
title>
4086N/A Passing USB devices to the guest provides the guest full access
4086N/A to these devices, see <
xref linkend="settings-usb"/>. For instance,
4086N/A in addition to reading and writing the content of the partitions
4086N/A of an external USB disk the guest will be also able to read and
4086N/A write the partition table and hardware data of that disk.
4086N/A <
title>Configuring and Using Authentication</
title>
4086N/A <
para>The following components of VirtualBox can use passwords for
4086N/A authentication:<
itemizedlist>
4086N/A <
para>When using remote iSCSI storage and the storage server
4086N/A requires authentication, an initiator secret can optionally be supplied
4086N/A with the <
computeroutput>VBoxManage storageattach</
computeroutput>
4086N/A command. As long as no settings password is provided (command line
4086N/A option <
screen>--settingspwfile</
screen>, this secret is
4086N/A stored <
emphasis role="bold">unencrypted</
emphasis> in the machine
4086N/A configuration and is therefore potentially readable on the host.
4086N/A linkend="storage-iscsi" /> and <
xref 4086N/A linkend="vboxmanage-storageattach" />.</
para>
4086N/A <
para>When using the VirtualBox web service to control a VirtualBox
4086N/A host remotely, connections to the web service are authenticated in
4086N/A various ways. This is described in detail in the VirtualBox Software
4086N/A Development Kit (SDK) reference; please see <
xref 4086N/A linkend="VirtualBoxAPI" />.</
para>
4086N/A <title>Configuring and Using Access Control</title> 4086N/A <title>Configuring and Using Security Audit</title> 4086N/A <title>Congiguring and Using Other Security Features</title> 4086N/A <
title>Potentially insecure operations</
title>
4086N/A <
para>The following features of VirtualBox can present security
4086N/A <
para>Enabling 3D graphics via the Guest Additions exposes the host
4086N/A to additional security risks; see <
xref 4086N/A linkend="guestadd-3d" />.</
para>
4086N/A <
para>When teleporting a machine, the data stream through which the
4086N/A machine's memory contents are transferred from one host to another
4086N/A is not encrypted. A third party with access to the network through
4086N/A which the data is transferred could therefore intercept that
4086N/A data. An SSH tunnel could be used to secure the connection between
4086N/A the two hosts. But when considering teleporting a VM over an untrusted
4086N/A network the first question to answer is how both VMs can securely
4086N/A access the same virtual disk image(s) with a reasonable performance. </
para>
4086N/A <
para>When using the VirtualBox web service to control a VirtualBox
4086N/A host remotely, connections to the web service (through which the API
4086N/A calls are transferred via SOAP XML) are not encrypted, but use plain
4086N/A HTTP by default. This is a potential security risk! For details about
4086N/A the web service, please see <
xref linkend="VirtualBoxAPI" />.</
para>
4086N/A <
para>The web services are not started by default. Please refer to
4086N/A <
xref linkend="vboxwebsrv-daemon"/> to find out how to start this
4086N/A service and how to enable
SSL/
TLS support. It has to be started as
4086N/A a regular user and only the VMs of that user can be controlled. By
4086N/A default, the service binds to localhost preventing any remote connection.</
para>
4086N/A <
para>Traffic sent over a UDP Tunnel network attachment is not
4086N/A encrypted. You can either encrypt it on the host network level (with
4086N/A IPsec), or use encrypted protocols in the guest network (such as
4086N/A SSH). The security properties are similar to bridged Ethernet.</
para>
4086N/A <
para>The following components of VirtualBox use encryption to protect
4086N/A sensitive data:<
itemizedlist>
4086N/A <
para>When using the VirtualBox extension pack provided by Oracle
4086N/A for VRDP remote desktop support, RDP data can optionally be
4086N/A encrypted. See <
xref linkend="vrde-crypt" /> for details. Only
4086N/A the Enhanced RDP Security method (RDP5.2) with TLS protocol
4086N/A provides a secure connection. Standard RDP Security (RDP4 and
4086N/A RDP5.1) is vulnerable to a man-in-the-middle attack.</
para>
4086N/A <title>Security Considerations for Developers</title>