Configuring Virtual Server security settings
Configuring Virtual Server security settings
On the Virtual Server Security Properties page, you can configure permissions for managing Virtual Server. You can add a permission entry for a user account or group and configure permissions for it, you can modify the permissions specified for an existing permission entry, or you can remove a permission entry.
By configuring the settings on this page, you can give users control over some features of Virtual Server, but not others. For example, by default all members of the Administrators group have full control of Virtual Server. You might, however, want to allow a member of the Administrators group to view and modify configuration settings, but not to add or remove permissions entries. You could do this by adding a permission entry for that person's user account and then denying Change permissions to it. The user account would retain all of the permissions allowed to the Administrators group, except for the permission to Change permissions.
Note
You can allow users to manage specific virtual machines and virtual networks without giving them more global permissions to manage Virtual Server. For more information, see Configuring virtual machine security and Configuring virtual disk security. For general information about configuring security for Virtual Server, see Securing Virtual Server.
For each permission entry, you can configure the permissions described in the following table.
| Item | Description |
|---|---|
Full |
Select the check box for this permission to automatically select all of the other permissions. |
Modify |
Add virtual machines and virtual networks to Virtual Server, and make changes to the following pages:
For more information about viewing and modifying Virtual Server configuration settings, see Configuring Virtual Server. |
View |
Read Virtual Server configuration information and the Virtual Server event log, as well as configuration information for virtual machines for which the user has Read permissions. This also allows the user to manage virtual machines for which they have the appropriate permissions by using VMRC. |
Remove |
Remove virtual machine and virtual network configurations from Virtual Server. |
Change permissions |
Change permissions on the Virtual Server Security Properties page. |
Control |
Access the Component Object Model (COM) interfaces. This allows the user to manage Virtual Server by using the COM interface or the Administration Website. This permission is required for a user account or group to have any administrative control over Virtual Server. Without it, the Administration Website and COM interface are not available. If the user account or group has been granted permissions on the virtual machine configuration (.vmc) file, but denied this permission, the user account or group can manage the virtual machine by using the VMRC client, but not by using the Administration Website. |
Special permissions |
Indicates whether special permissions have been configured on the Virtual Server folder. You cannot select or clear this check box. |
The permissions that you configure on this page modify the discretionary access control list (DACL) on the Virtual Server folder, located by default in C:\Documents and Settings\All Users\Application Data\Microsoft. Although you could configure these permissions by changing the DACL directly in the file system, we recommend that you use this page instead. This is because if you configure the DACL directly, you must restart the Virtual Server service for the settings to take effect. This is not the case, however, for configuring permissions on virtual machine, virtual network, and virtual disk files. You can configure DACLs for those files directly in the file system.
The permissions that you configure on this page apply to the Virtual Server folder and the subfolders and files that it contains. In addition, even if it is not contained in the Virtual Server folder, these permissions also apply to the default virtual machine configuration folder, which is specified on the Virtual Server Search Paths page of the Administration Website. For more information about specifying this folder, see Configuring Virtual Server search paths.
This page displays permissions for user accounts and groups only. It does not display permissions for system accounts, such as the Local System account. This is so that users of this page do not inadvertently delete or change permissions for system accounts that are critical to the functioning of Virtual Server. Under most circumstances, you should not need to modify the default permissions for system accounts. In the event that this is necessary, however, you should modify them by configuring the DACL in the file system, which is described next.
Important
Do not change the DACL on the Virtual Machine Helper service folder. This folder is located by default in C:\Documents and Settings\All Users\Application Data\Microsoft. The files in this folder store account name and password information for use with virtual machines. If you do change the DACL on this folder, virtual machines that you have configured to run under a specific user account may not be able to turn on, and encrypted password information contained in this file could become accessible to unauthorized users.
The following table describes the DACL on the Virtual Server folder.
| Permission | Use to allow or deny this ability |
|---|---|
List Folder/Read Data |
|
Traverse Folder/Execute File |
Use the Administration Website or manage Virtual Server by using the COM interface. This permission is required for a user account or group to have any administrative control over Virtual Server. Without it, the Administration Website and COM interface are not available. If the user account or group has been granted permissions on the virtual machine configuration (.vmc) file but denied this permission, the user account or group can manage the virtual machine by using VMRC, but not by using the Administration Website. |
Create Files/Write Data |
|
Delete |
Remove virtual machines and virtual networks. |
Change Permissions |
Change permissions on the Virtual Server folder. |
For more information about the default file system security settings of Virtual Server, see File system security settings for Virtual Server.