Configuring virtual disk security

Configuring virtual disk security

In addition to securing the folders in which the various Virtual Server files are located (as described in Securing Virtual Server), you can also configure security on the individual files themselves. Securing the files individually is not necessary unless you want want to define access permissions more precisely than at the folder level.

Permissions for virtual disks

To allow or deny permissions for users to copy, move, delete, or write data to virtual hard disk (.vhd) and virtual floppy disk (.vfd) files, you can modify the files' discretionary access control lists (DACLs). If you create a virtual hard disk for a virtual machine when you create a virtual machine, the .vhd file is located in the virtual machine configuration folder, in C:\Documents and Settings\All Users\Documents\Shared Virtual Machines by default. Otherwise, both .vhd and .vfd files are stored in the location specified when they were created.

Note

There is no option for configuring these settings in the Administration Website; you can configure them in the file system only.

The following table lists the permissions that you can configure on a virtual hard disk or virtual floppy disk file.

Permission Use to grant or deny this ability

Read

Read from the virtual disk.

Create Files/Write Data

Write data to this virtual disk.

Delete

Delete the virtual disk file.

Read Permissions

Read permissions on the virtual disk file.

Change Permissions

Change permissions on the virtual disk file.

In addition to these permissions, the user must have the List Folder permission on the folder containing the .vhd or .vfd file. Without this permission, the user will not be able to access the file from the Administration Website.

Note

If you want to share a virtual floppy disk (.vfd file) between virtual machines, the .vfd file must be configured as read-only. For a physical floppy disk, the first virtual machine to detect the physical disk will be the only virtual machine that can use that disk.

Permissions for ISO files

To grant or deny permissions for users to copy, move, delete, or write data to CD or DVD ISO 9660 image files, you can modify the DACLs on these files.

Note

There is no option for configuring these settings in the Administration Website; you can configure them in the file system only.

The following table lists the permissions that you can configure on a CD or DVD ISO file.

Permission Use to grant or deny this ability

Read

Read from the ISO file.

Delete

Delete the ISO file.

Read Permissions

Read permissions on the ISO file.

Change Permissions

Change permissions on the ISO file.

In addition to these permissions, the user must have the List Folder permission on the folder containing the ISO file. Without this permission, the user will not be able to access the file from the Administration Website.

Note

Virtual Server supports ISO 9660 images, the International Organization for Standardization format, of a CD or DVD. You can use these images to perform the same operations as physical media, such as installing an operating system. There are a variety of non-Microsoft tools available for creating CD images.

You can also configure the security of the Virtual Server global options file (Options.xml), the virtual machine configuration (.vmc) files, and the virtual network configuration (.vnc) files. For more information, see Configuring Virtual Server security settings and Configuring virtual machine security.