Does virtualization make desktop operating systems less secure?

Microsoft is facing challenges marketing Windows 7 because of Windows XP's popularity. Many IT professionals are clinging to the older operating system simply because it works. In addition, before the release of Windows Vista, developers could safely assume their applications would have free rein over the system -- but Vista and Windows 7 greatly restrict permissions, breaking older applications.

As a solution, Microsoft is offering a virtual Windows XP machine with certain editions of Windows 7. This virtual machine (VM) is based on the latest version of Microsoft's Virtual PC. Unlike many other desktop virtualization solutions, the virtual instance of Windows XP is designed to be completely transparent: Users can operate in a XP desktop window if they choose, but they don't have to. Applications installed on the Windows XP VM appear on the Windows 7 Start menu, and they appear to run alongside native Windows 7 applications. In other words, the end user may never know a VM is operating in the background.

    Requires Free Membership to View

More on virtual desktop security

Top tools for securing a virtual desktop infrastructure 

The top 5 ways that VDI can help improve your enterprise's security 

I applaud Microsoft's approach to solving the application-compatibility problem. Organizations with a transparent, virtualized instance of Windows XP can upgrade to the latest OS without having to abandon their legacy applications.

This new approach completely changes things. Prior to the Windows 7 release, only power users and hardcore geeks ran virtual OSes on their desktop PCs. Now, most users could conceivably run at least two desktop OSes -- a primary OS and a virtual machine OS. But do VMs running on the desktop pose a security threat?

There is nothing inherently dangerous about having a VM running on a desktop. I have seen several posts on the Internet from people who refuse to use VMs for fear of an escape attack – an attack in which a hacker exploits a vulnerability in a VM to seize control of the host OS. But so far, nobody has successfully performed an escape attack. Furthermore, such an attack it is unlikely because VMs -- and the applications running on them -- reside in an isolated address space. The only reason why someone could eventually perform an escape attack is that there is a small degree of interaction between the host and the guest OSes. For example, it is possible to use the clipboard to copy text from the host OS to the guest OS, or vice versa.

Regardless -- in my opinion -- VMs are safe. Since I believe it would be incredibly short-sighted to base everything I write solely on what the IT community has to say, I tend to visit a lot of hacker websites to get both sides of a story. Many of these websites are designed to plant Trojan horses onto computers, therefore, I always use a VM when I visit them or download a utility that could contain malware. Therefore, I don't have to worry about infecting my primary desktop OS. Any infections that do occur are isolated to a VM that I can easily revert back to a previous state. In this sense, having a VM running on my desktop actually improves security.

Although there is nothing inherently insecure about running virtual OSes on a desktop machine, they are vulnerable to the same threats as OSes on physical hardware. Therefore, you should follow the same security best practices for VMs as you do for physical machines: Patch virtual OSes, run up-to-date antivirus software and ensure that group policy settings are properly applied. While there may not be anything inherently dangerous about a VM, failure to manage it properly does introduce various security risks.

Brien M. Posey, MCSE, has received Microsoft's Most Valuable Professional Award four times for his work with Windows Server, IIS and Exchange Server. He has served as CIO for a nationwide chain of hospitals and healthcare facilities and was once a network administrator for Fort Knox. You can visit his personal website at www.brienposey.com.

This was first published in February 2010

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.