locked
How to restrict creation of a VM on Windows 7 in domain? RRS feed

  • Question

  • Is there a GPO that will restrict the creation of VMs on Windows 7 joined to a domain? Or any local policy that can be set for it? If the logged in user is a local admin, can they be restricted in any way? 

    I'm concerned about having dozens of VMs created by end users (who are all technically savvy enough to do it) that aren't patched, have no AV, are surfing the Internet and are sharing the mapped drives of the host. Seems like a huge virus attack just waiting to happen.

    Thank you any help you can offer!
    Thursday, June 11, 2009 7:01 AM

Answers

  • Thanks for raising the concern. However, there is no way you can control the VM creation in VPC. You would need to use MED-V available as part of MDOP to have better manageability.
    Also, the user can do VM Creation with any other Virtualization software in the market. I'm not sure how this changes in Win 7.

    Regards
    • Marked as answer by Nitin.Garg Thursday, June 11, 2009 9:24 AM
    Thursday, June 11, 2009 9:23 AM

All replies

  • No, we don't have a GPO to control this. Look at the problem other way, we already have other virtualization solutions and your issues exists since years, how you controlled those?

    Proper user rights and solutions like MED-V helps here.
    Thanks, -Vinod -- "This posting is provided "AS IS" with no warranties, and confers no rights. You assume all risk for your use."
    Thursday, June 11, 2009 8:14 AM
  • In the past I controlled VM configuration by creating the VMs myself from a standardized image and providing them to the end user (Most are on Vista). I know I can also use the SCVMM option to allow them to create VMs on their own, but for the low number of VMs I need, this is acceptable.

    With the new technology in Windows 7, the game changes, and the end user now has the ability to create a new VM on their own. 

    It seems that the domain security and Administrative control of the local VM creation within Windows 7 in a Domain environment has been missed by Microsoft (?). If I can't control the VM creation with a GPO, is there another way to restrict VM creation in Windows 7? Exactly what permissions are needed to create a VM in Windows 7?

    We are a Gold Certified Microsoft Partner, but I don't think MED-V is available to us, is it? I think it is only available through MDOP in the Volume License Program.

    Could you confirm it for me?

    I saw where I could download a "trial" of MED-V for MSDN and Technet subscribers, but I don't think a "trial" would be a solution.

    I like the idea of being able to sell the MED-V solution to customers, (it is AWESOME! - saw it at TechEd in LA) and I'd like to show them a working model of it (preferably a live environment like my own domain), but I don't want or need to pay the cost of the Volume License Program to get MED-V - I don't need it for my personal use in my domain.

    What I need is to control the VM creation in Windows 7 more flexibly than an on - off switch, altough that would also work. I just don't know where that switch is or how to flip it.
    Thursday, June 11, 2009 8:56 AM
  • Let us understand your scenario,
    [You] In the past I controlled VM configuration by creating the VMs myself from a standardized image and providing them to the end user (Most are on Vista).
    [Vinod] How users run these VMs? They would have some software locally?
    Since user are admin on box, in past also they could download Virtual PC 2007 and create a VM?

    Also please send your feedback via connect with more details for scenario.

    MED-V will be availble for VPC7 also. I don't have timelines to share.



    Thanks, -Vinod -- "This posting is provided "AS IS" with no warranties, and confers no rights. You assume all risk for your use."
    Thursday, June 11, 2009 9:13 AM
  • Thanks for raising the concern. However, there is no way you can control the VM creation in VPC. You would need to use MED-V available as part of MDOP to have better manageability.
    Also, the user can do VM Creation with any other Virtualization software in the market. I'm not sure how this changes in Win 7.

    Regards
    • Marked as answer by Nitin.Garg Thursday, June 11, 2009 9:24 AM
    Thursday, June 11, 2009 9:23 AM
  • You are 100% correct. Anyone could install VPC2007 and could create the VM themselves, if they somehow got a XP installation disk, license key, installation cds for the applications they need, etc and had 45 minutes to burn installing the OS alone. But they're too busy to mess with it themselves in the current situation, don't have access to (legal) license keys or installation media, so they just ask me for it. :)

    I understand it is not a new ability, but it is a new approach to it.

    Windows 7 creates a VM in about 9 minutes with one click. They won't be too busy (or lazy) to do that.  :( 

    Even without the apps they need, they'll have an unpatched basic Windows XP installation and the ability to surf the Internet and will be open to attack in a HUGE way that has not been so easily available before.

    Maybe I'm wrong, but I think Microsoft should have thought about the ramifications of the new implementation in this way.

    Am I correct that the answer to my question is " There is no way to restrict the creation of a VM in Windows 7."?

    Thursday, June 11, 2009 9:52 AM
  • I agree with ease of launch case, but lets think it in more details
    1. Once a VHD is on user desktop, admin needs to take care for patching, AV update etc. Getting a VHD from MS is no diffrent, once it is on desktop same care needs to be taken
    2. You as an admin can always push your own VHD to use desktop and may even create shortcut to it, which users use instead of other VHD

    I am no expert here when management of VMs is concerned, but as I see you need right tools for it.

    And yes, you cannot block creation of VM. Please raise it as feedback for product team.


    Thanks, -Vinod -- "This posting is provided "AS IS" with no warranties, and confers no rights. You assume all risk for your use."
    Thursday, June 11, 2009 10:15 AM
  • I just realized my login bounced from FinlandRobert to elmerecrafter. I'm both accpunts. Sorry for any confusion...

    I don't know of any Microsoft tools to manage unknown machines that are not part of the domain after creation. That is why I'm looking to either restrict the creation or modify it when Windows 7 is creating it.

    This looks to me to be a HUGE attack vector into the domain, as the machine automatically maps all the host drives and USB devices, is unpatched with no Anti Virus software, and has access to the Internet.

    How do I connect with the Product team to provide the feedback? If you would like to email me directly with the information, that would be great. The FinlandRobert account would be better, but emailing to the elmerecrafter account will work as well.

    Thank you for your help and input! It is greatly appreciated.
    Thursday, June 11, 2009 10:51 AM
  • you could try:

    Removing security setting for the users group from two files in windows\system32, VPCSettings.exe and VPCWizard.exe. Add your local administrator to the permissions to those two files that way the administrator can make changes. This will stop the users from creating or changing virtual machines.

    Good luck

    • Proposed as answer by JayThomas Thursday, July 8, 2010 7:42 PM
    Thursday, July 8, 2010 7:42 PM
  • I think you missed "If the logged in user is a local admin, can they be restricted in any way?".  The users are local admins.

    The problem is not the host virtualization software -- as has been pointed out earlier in the thread.  The users could download VirtualBox and use that instead of VPC.  The problem is the availability of the XP Mode VM.  Prior to the XP Mode VM the user would have to build the VM and activate it with their own key.  The XP Mode VM has eliminated that barrier.

    Saturday, July 10, 2010 6:02 AM