manual/fr_FR/user_Security.xml

	user_Security.xml revision 30cf2a04131a4c65d0289d96cf37b2c51cf2dd32
ac153c99053f1edf42b00bf3a13475923bc4fcf1vboxsync<?xml version="1.0" encoding="UTF-8"?>
ac153c99053f1edf42b00bf3a13475923bc4fcf1vboxsync<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
ac153c99053f1edf42b00bf3a13475923bc4fcf1vboxsync"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
ac153c99053f1edf42b00bf3a13475923bc4fcf1vboxsync<chapter id="Security">
ac153c99053f1edf42b00bf3a13475923bc4fcf1vboxsync  <title>Security guide</title>
ac153c99053f1edf42b00bf3a13475923bc4fcf1vboxsync
ac153c99053f1edf42b00bf3a13475923bc4fcf1vboxsync  <sect1>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync    <title>Overview</title>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync    <para>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync    </para>
ac153c99053f1edf42b00bf3a13475923bc4fcf1vboxsync
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync    <sect2>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      <title>General Security Principles</title>
ac153c99053f1edf42b00bf3a13475923bc4fcf1vboxsync
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      <para>The following principles are fundamental to using any application
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync        securely.
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync        <glosslist>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          <glossentry>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync            <glossterm>Keep Software Up To Date</glossterm>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync            <glossdef>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync              <para>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync                One of the principles of good security practise is to keep all
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync                software versions and patches up to date. Activate the VirtualBox
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync                update notification to get notified when a new VirtualBox release
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync                is available. When updating VirtualBox, do not forget to update
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync                the Guest Additions. Keep the host operating system as well as the
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync                guest operating system up to date.
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync              </para>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync            </glossdef>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          </glossentry>
ac153c99053f1edf42b00bf3a13475923bc4fcf1vboxsync
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          <glossentry>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync            <glossterm>Restrict Network Access to Critical Services</glossterm>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync            <glossdef>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync              <para>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync                Use proper means, for instance a firewall, to protect your computer
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync                and your guest(s) from accesses from the outside. Choosing the proper
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync                networking mode for VMs helps to separate host networking from the
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync                guest and vice versa.
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync              </para>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync            </glossdef>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          </glossentry>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          <glossentry>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync            <glossterm>Follow the Principle of Least Privilege</glossterm>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync            <glossdef>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync              <para>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync                The principle of least privilege states that users should be given the
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync                least amount of privilege necessary to perform their jobs. Always execute VirtualBox
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync                as a regular user. We strongly discourage anyone from executing
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync                VirtualBox with system privileges.
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync              </para>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync              <para>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync                Choose restrictive permissions when creating configuration files,
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync                for instance when creating /etc/default/virtualbox, see
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync                <xref linkend="linux_install_opts"/>. Mode 0600 would be preferred.
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync              </para>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync            </glossdef>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          </glossentry>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          <glossentry>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync            <glossterm>Monitor System Activity</glossterm>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync            <glossdef>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync              <para>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync                System security builds on three pillars: good security protocols, proper
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync                system configuration and system monitoring. Auditing and reviewing audit
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync                records address the third requirement. Each component within a system
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync                has some degree of monitoring capability. Follow audit advice in this
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync                document and regularly monitor audit records.
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync              </para>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync            </glossdef>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          </glossentry>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          <glossentry>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync            <glossterm>Keep Up To Date on Latest Security Information</glossterm>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync            <glossdef>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync              <para>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync                Oracle continually improves its software and documentation. Check this
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync                note note yearly for revisions.
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync              </para>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync            </glossdef>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          </glossentry>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync        </glosslist>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      </para>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync    </sect2>
ac153c99053f1edf42b00bf3a13475923bc4fcf1vboxsync  </sect1>
ac153c99053f1edf42b00bf3a13475923bc4fcf1vboxsync
ac153c99053f1edf42b00bf3a13475923bc4fcf1vboxsync  <sect1>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync    <title>Secure Installation and Configuration</title>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync  </sect1>
ac153c99053f1edf42b00bf3a13475923bc4fcf1vboxsync
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync  <sect2>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync    <title>Installation Overview</title>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync    <para>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      The VirtualBox base package should be downloaded only from a trusted source,
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      for instance the official website
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      <ulink url="http://www.virtualbox.org">http://www.virtualbox.org</ulink>.
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      The integrity of the package should be verified with the provided SHA256
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      checksum which can be found on the official website.
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync    </para>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync    <para>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      General VirtualBox installation instructions for the supported hosts
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      can be found in <xref linkend="installation"/>.
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync    </para>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync    <para>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      On Windows hosts, the installer allows for disabling USB support, support
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      for bridged networking, support for host-only networking and the Python
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      language bindings, see <xref linkend="installation_windows"/>.
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      All these features are enabled by default but disabling some
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      of them could be appropriate if the corresponding functionality is not
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      required by any virtual machine. The Python language bindings are only
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      required if the VirtualBox API is to be used by external Python
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      applications. In particular USB support and support
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      for the two networking modes require the installation of Windows kernel
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      drivers on the host. Therefore disabling those selected features can
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      not only be used to restrict the user to certain functionality but
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      also to minimize the surface provided to a potential attacker.     </para>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync    <para>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      The general case is to install the complete VirtualBox package. The
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      installation must be done with system privileges. All VirtualBox binaries
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      should be executed as a regular user and never as a privileged user.
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync    </para>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync    <para>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      The Oracle VM VirtualBox extension pack provides additional features
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      and must be downloaded and installed separately, see
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      <xref linkend="intro-installing"/>. As for the base package, the SHA256
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      checksum of the extension pack should be verified. As the installation
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      requires system privileges, VirtualBox will ask for the system
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      password during the installation of the extension pack.
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync    </para>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync  </sect2>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync  <sect2>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync    <title>Post Installation Configuration</title>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync    <para>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      Normally there is no post installation configuration of VirtualBox components
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      required. However, on Solaris and Linux hosts it is necessary to configure
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      the proper permissions for users executing VMs and who should be able to
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      access certain host resources. For instance, Linux users must be member of
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      the <emphasis>vboxusers</emphasis> group to be able to pass USB devices to a
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      guest. If a serial host interface should be accessed from a VM, the proper
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      permissions must be granted to the user to be able to access that device.
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      The same applies to other resources like raw partitions, DVD/CD drives
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      and sound devices.
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync    </para>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync  </sect2>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync  <sect1>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync    <title>Security Features</title>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync    <para>This section outlines the specific security mechanisms offered
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      by VirtualBox.</para>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync    <sect2>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      <title>The Security Model</title>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      <para>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync        One property of virtual machine monitors (VMMs) like VirtualBox is to encapsulate
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync        a guest by executing it in a protected environment, a virtual machine,
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync        running as a user process on the host operating system. The guest cannot
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync        communicate directly with the hardware or other computers but only through
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync        the VMM. The VMM provides emulated physical resources and devices to the
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync        guest which are accessed by the guest operating system to perform the required
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync        tasks. The VM settings control the resources provided to the guest, for example
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync        the amount of guest memory or the number of guest processors, (see
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync        <xref linkend="generalsettings"/>) and the enabled features for that guest
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync        (for example remote control, certain screen settings and others).
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      </para>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync    </sect2>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync    <sect2>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      <title>Secure Configuration of Virtual Machines</title>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      <para>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync        Several aspects of a virtual machine configuration are subject to security
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync        considerations.</para>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      <sect3>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync        <title>Networking</title>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync        <para>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          The default networking mode for VMs is NAT which means that
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          the VM acts like a computer behind a router, see
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          <xref linkend="network_nat"/>. The guest is part of a private
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          subnet belonging to this VM and the guest IP is not visible
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          from the outside. This networking mode works without
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          any additional setup and is sufficient for many purposes.
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync        </para>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync        <para>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          If bridged networking is used, the VM acts like a computer inside
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          the same network as the host, see <xref linkend="network_bridged"/>.
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          In this case, the guest has the same network access as the host and
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          a firewall might be necessary to protect other computers on the
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          subnet from a potential malicious guest as well as to protect the
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          guest from a direct access from other computers. In some cases it is
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          worth considering using a forwarding rule for a specific port in NAT
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          mode instead of using bridged networking.
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync        </para>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync        <para>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          Some setups do not require a VM to be connected to the public network
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          at all. Internal networking (see <xref linkend="network_internal"/>)
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          or host-only networking (see <xref linkend="network_hostonly"/>)
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          are often sufficient to connect VMs among each other or to connect
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          VMs only with the host but not with the public network.
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync        </para>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      </sect3>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      <sect3>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync        <title>VRDP remote desktop authentication</title>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync        <para>When using the VirtualBox extension pack provided by Oracle
ac153c99053f1edf42b00bf3a13475923bc4fcf1vboxsync          for VRDP remote desktop support, you can optionally use various
ac153c99053f1edf42b00bf3a13475923bc4fcf1vboxsync          methods to configure RDP authentication. The "null" method is
ac153c99053f1edf42b00bf3a13475923bc4fcf1vboxsync          very insecure and should be avoided in a public network.
ac153c99053f1edf42b00bf3a13475923bc4fcf1vboxsync          See <xref linkend="vbox-auth" /> for details.</para>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      </sect3>
ac153c99053f1edf42b00bf3a13475923bc4fcf1vboxsync
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      <sect3 id="security_clipboard">
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync        <title>Clipboard</title>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync        <para>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          The shared clipboard allows users to share data between the host and
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          the guest. Enabling the clipboard in "Bidirectional" mode allows
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          the guest to read and write the host clipboard. The "Host to guest"
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          mode and the "Guest to host" mode limit the access to one
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          direction. If the guest is able to access the host clipboard it
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          can also potentially access sensitive data from the host which is
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          shared over the clipboard.
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync        </para>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync        <para>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          If the guest is able to read from and/or write to the host clipboard
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          then a remote user connecting to the guest over the network will also
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          gain this ability, which may not be desirable. As a consequence, the
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          shared clipboard is disabled for new machines.
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync        </para>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      </sect3>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      <sect3>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync        <title>Shared folders</title>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync        <para>If any host folder is shared with the guest then a remote
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          user connected to the guest over the network can access
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          these files too as the folder sharing mechanism cannot be
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          selectively disabled for remote users.
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync        </para>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      </sect3>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      <sect3>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync        <title>3D graphics acceleration</title>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync        <para>Enabling 3D graphics via the Guest Additions exposes the host
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          to additional security risks; see <xref
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          linkend="guestadd-3d" />.</para>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      </sect3>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      <sect3>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync        <title>CD/DVD passthrough</title>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync        <para>Enabling CD/DVD passthrough allows the guest to perform advanced
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          operations on the CD/DVD drive, see <xref linkend="storage-cds"/>.
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          This could induce a security risk as a guest could overwrite data
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          on a CD/DVD medium.
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync        </para>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      </sect3>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      <sect3>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync        <title>USB passthrough</title>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync        <para>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          Passing USB devices to the guest provides the guest full access
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          to these devices, see <xref linkend="settings-usb"/>. For instance,
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          in addition to reading and writing the content of the partitions
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          of an external USB disk the guest will be also able to read and
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          write the partition table and hardware data of that disk.
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync        </para>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      </sect3>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync    </sect2>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync    <sect2>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      <title>Configuring and Using Authentication</title>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      <para>The following components of VirtualBox can use passwords for
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync        authentication:<itemizedlist>
ac153c99053f1edf42b00bf3a13475923bc4fcf1vboxsync
ac153c99053f1edf42b00bf3a13475923bc4fcf1vboxsync        <listitem>
ac153c99053f1edf42b00bf3a13475923bc4fcf1vboxsync          <para>When using remote iSCSI storage and the storage server
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          requires authentication, an initiator secret can optionally be supplied
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          with the <computeroutput>VBoxManage storageattach</computeroutput>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          command. As long as no settings password is provided (command line
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          option <screen>--settingspwfile</screen>, this secret is
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          stored <emphasis role="bold">unencrypted</emphasis> in the machine
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          configuration and is therefore potentially readable on the host.
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          See <xref
ac153c99053f1edf42b00bf3a13475923bc4fcf1vboxsync          linkend="storage-iscsi" /> and <xref
ac153c99053f1edf42b00bf3a13475923bc4fcf1vboxsync          linkend="vboxmanage-storageattach" />.</para>
ac153c99053f1edf42b00bf3a13475923bc4fcf1vboxsync        </listitem>
ac153c99053f1edf42b00bf3a13475923bc4fcf1vboxsync
ac153c99053f1edf42b00bf3a13475923bc4fcf1vboxsync        <listitem>
ac153c99053f1edf42b00bf3a13475923bc4fcf1vboxsync          <para>When using the VirtualBox web service to control a VirtualBox
ac153c99053f1edf42b00bf3a13475923bc4fcf1vboxsync          host remotely, connections to the web service are authenticated in
ac153c99053f1edf42b00bf3a13475923bc4fcf1vboxsync          various ways. This is described in detail in the VirtualBox Software
ac153c99053f1edf42b00bf3a13475923bc4fcf1vboxsync          Development Kit (SDK) reference; please see <xref
ac153c99053f1edf42b00bf3a13475923bc4fcf1vboxsync          linkend="VirtualBoxAPI" />.</para>
ac153c99053f1edf42b00bf3a13475923bc4fcf1vboxsync        </listitem>
ac153c99053f1edf42b00bf3a13475923bc4fcf1vboxsync      </itemizedlist></para>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync    </sect2>
ac153c99053f1edf42b00bf3a13475923bc4fcf1vboxsync
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync    <!--
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync    <sect2>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      <title>Configuring and Using Access Control</title>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync    </sect2>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync    <sect2>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      <title>Configuring and Using Security Audit</title>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync    </sect2>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync    <sect2>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      <title>Congiguring and Using Other Security Features</title>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync    </sect2>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync    -->
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync    <sect2>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync    <title>Potentially insecure operations</title>
ac153c99053f1edf42b00bf3a13475923bc4fcf1vboxsync
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      <para>The following features of VirtualBox can present security
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync        problems:<itemizedlist>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync        <listitem>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          <para>Enabling 3D graphics via the Guest Additions exposes the host
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          to additional security risks; see <xref
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          linkend="guestadd-3d" />.</para>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync        </listitem>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync        <listitem>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          <para>When teleporting a machine, the data stream through which the
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          machine's memory contents are transferred from one host to another
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          is not encrypted. A third party with access to the network through
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          which the data is transferred could therefore intercept that
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          data. An SSH tunnel could be used to secure the connection between
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          the two hosts. But when considering teleporting a VM over an untrusted
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          network the first question to answer is how both VMs can securely
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          access the same virtual disk image(s) with a reasonable performance. </para>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync        </listitem>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync        <listitem>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          <para>When using the VirtualBox web service to control a VirtualBox
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          host remotely, connections to the web service (through which the API
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          calls are transferred via SOAP XML) are not encrypted, but use plain
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          HTTP by default. This is a potential security risk! For details about
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          the web service, please see <xref linkend="VirtualBoxAPI" />.</para>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          <para>The web services are not started by default. Please refer to
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          <xref linkend="vboxwebsrv-daemon"/> to find out how to start this
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          service and how to enable SSL/TLS support. It has to be started as
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          a regular user and only the VMs of that user can be controled. By
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          default, the service binds to localhost preventing any remote connection.</para>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync        </listitem>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync        <listitem>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          <para>Traffic sent over a UDP Tunnel network attachment is not
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          encrypted. You can either encrypt it on the host network level (with
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          IPsec), or use encrypted protocols in the guest network (such as
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync          SSH). The security properties are similar to bridged Ethernet.</para>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync        </listitem>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      </itemizedlist></para>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync    </sect2>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync    <sect2>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      <title>Encryption</title>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync      <para>The following components of VirtualBox use encryption to protect
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync        sensitive data:<itemizedlist>
ac153c99053f1edf42b00bf3a13475923bc4fcf1vboxsync        <listitem>
ac153c99053f1edf42b00bf3a13475923bc4fcf1vboxsync          <para>When using the VirtualBox extension pack provided by Oracle
ac153c99053f1edf42b00bf3a13475923bc4fcf1vboxsync          for VRDP remote desktop support, RDP data can optionally be
ac153c99053f1edf42b00bf3a13475923bc4fcf1vboxsync          encrypted. See <xref linkend="vrde-crypt" /> for details. Only
ac153c99053f1edf42b00bf3a13475923bc4fcf1vboxsync          the Enhanced RDP Security method (RDP5.2) with TLS protocol
ac153c99053f1edf42b00bf3a13475923bc4fcf1vboxsync          provides a secure connection. Standard RDP Security (RDP4 and
ac153c99053f1edf42b00bf3a13475923bc4fcf1vboxsync          RDP5.1) is vulnerable to a man-in-the-middle attack.</para>
ac153c99053f1edf42b00bf3a13475923bc4fcf1vboxsync        </listitem>
ac153c99053f1edf42b00bf3a13475923bc4fcf1vboxsync      </itemizedlist></para>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync    </sect2>
ac153c99053f1edf42b00bf3a13475923bc4fcf1vboxsync  </sect1>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync  <!--
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync  <sect1>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync    <title>Security Considerations for Developers</title>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync  </sect1>
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync  -->
30cf2a04131a4c65d0289d96cf37b2c51cf2dd32vboxsync
ac153c99053f1edf42b00bf3a13475923bc4fcf1vboxsync</chapter>