Does virtualization make desktop operating systems less secure?

Microsoft has addressed the slow adoption of Windows 7 by releasing a virtual version of Windows XP. But do these virtual machines pose a security threat?

Microsoft is facing challenges marketing Windows 7 because of Windows XP's popularity. Many IT professionals are clinging to the older operating system simply because it works. In addition, before the release of Windows Vista, developers could safely assume their applications would have free rein over the system -- but Vista and Windows 7 greatly restrict permissions, breaking older applications.

As a solution, Microsoft is offering a virtual Windows XP machine with certain editions of Windows 7. This virtual machine (VM) is based on the latest version of Microsoft's Virtual PC. Unlike many other desktop virtualization solutions, the virtual instance of Windows XP is designed to be completely transparent: Users can operate in a XP desktop window if they choose, but they don't have to. Applications installed on the Windows XP VM appear on the Windows 7 Start menu, and they appear to run alongside native Windows 7 applications. In other words, the end user may never know a VM is operating in the background.

More on virtual desktop security

Top tools for securing a virtual desktop infrastructure 

The top 5 ways that VDI can help improve your enterprise's security 

I applaud Microsoft's approach to solving the application-compatibility problem. Organizations with a transparent, virtualized instance of Windows XP can upgrade to the latest OS without having to abandon their legacy applications.

This new approach completely changes things. Prior to the Windows 7 release, only power users and hardcore geeks ran virtual OSes on their desktop PCs. Now, most users could conceivably run at least two desktop OSes -- a primary OS and a virtual machine OS. But do VMs running on the desktop pose a security threat?

There is nothing inherently dangerous about having a VM running on a desktop. I have seen several posts on the Internet from people who refuse to use VMs for fear of an escape attack – an attack in which a hacker exploits a vulnerability in a VM to seize control of the host OS. But so far, nobody has successfully performed an escape attack. Furthermore, such an attack it is unlikely because VMs -- and the applications running on them -- reside in an isolated address space. The only reason why someone could eventually perform an escape attack is that there is a small degree of interaction between the host and the guest OSes. For example, it is possible to use the clipboard to copy text from the host OS to the guest OS, or vice versa.

Regardless -- in my opinion -- VMs are safe. Since I believe it would be incredibly short-sighted to base everything I write solely on what the IT community has to say, I tend to visit a lot of hacker websites to get both sides of a story. Many of these websites are designed to plant Trojan horses onto computers, therefore, I always use a VM when I visit them or download a utility that could contain malware. Therefore, I don't have to worry about infecting my primary desktop OS. Any infections that do occur are isolated to a VM that I can easily revert back to a previous state. In this sense, having a VM running on my desktop actually improves security.

Although there is nothing inherently insecure about running virtual OSes on a desktop machine, they are vulnerable to the same threats as OSes on physical hardware. Therefore, you should follow the same security best practices for VMs as you do for physical machines: Patch virtual OSes, run up-to-date antivirus software and ensure that group policy settings are properly applied. While there may not be anything inherently dangerous about a VM, failure to manage it properly does introduce various security risks.

Brien M. Posey, MCSE, has received Microsoft's Most Valuable Professional Award four times for his work with Windows Server, IIS and Exchange Server. He has served as CIO for a nationwide chain of hospitals and healthcare facilities and was once a network administrator for Fort Knox. You can visit his personal website at www.brienposey.com.


This was first published in February 2010

Dig deeper on Virtual desktop management

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchEnterpriseDesktop

SearchServerVirtualization

SearchCloudComputing

SearchConsumerization

SearchVMware

Close