Using Virtual machine technology to get better security

There is a growing general consensus that the virtual machine technology can help in making a system more secure. This is true both for consumer market and server market.

Let’s take Virtual PC for instance. First of all, you have the ability to run separate (legacy) applications in separate virtual machines. If one of these applications has a vulnerability, then only one of these virtual machines will be affected, and not everybody.

Second, virtual machines offer an elegant solution to applications that do not play well with Limited User Account (LUA) idea. If an application is insecure and at the same time it requires administrative access to run it, then all you have to do is running this application in a separate Virtual PC instance.

However, I would like to point out that, in many cases, creating separate, non-administrative user accounts might be good enough. You don’t need virtualization to solve all of your problems. I just read an article which pointed out this potential confusion:

Intel expects to see some business users build on these concepts. Companies might, for example, set up one partition that can run only approved software. Users can install iTunes or Doom or whatever unsafe software they like in another partition. Software makers might also create a type of “service operating system” that could be accessed no matter what has happened to the main copy of Windows or Linux.

“This lets you isolate the systems and recover if there is a malicious attack,” Bryant said.

What do consumers get?

Well, they can partition off the operating system into “for adult” and “for children” compartments.

“I really don’t want my kids messing with the Quicken files we use to pay our bills,” said Bill Leszinske, a director of marketing in Intel’s desktop group. Leszinske would return to this bad child theme again and again.

PC makers might also try and fine tune their systems to handle certain functions better. Why go through the time and trouble of booting Windows when you just want to play a DVD? Here comes the instant-on DVD partition, Leszinske said.

While the Intel marketeers did provide a couple of useful suggestions, they didn’t have answers for some of the more difficult questions posed by the IDF crowd. Things like, “Do we really need separate partitions for our evil children? Doesn’t a separate login do the trick today?” “What happens when Microsoft wants us to pay for four licenses for our four partitions?” “Do we install Norton four times?” “How about Service Pack 3?”

It is very easy to prevent your kids to access the Quicken files – all you have to do is to set the right security settings on the quicken folders. And, also, make sure that these kids are not administrators.

Even though, sometimes I think that we should have a very simple (and easy to discover) wizard in Windows XP Home Edition that allows the average non-technical user to secure the machine by automatically creating one or several non-administrator accounts. In my mind, the current user management UI has to do a better job in educating us why we should care about having non-administrative user accounts…

[update: adding more context to the quote above]

Comments (3)

  1. Mike Dimmick says:

    I’m not sure what’s so hard about Start > Control Panel > User Accounts, click Create User Account. You do then have to click Change Account Type and select Limited User.

    On XP the default is that user profile directories have security configured so only that user – not even administrators – can access their profile. Of course administrators have the Take Ownership right, and the owner of an object can always write the DACL, so an administrator can get access if required. However, the tools necessary – the classic Security tab – are only shown if Simple File Sharing is turned off – I can’t recall whether you can do this in Home Edition.

    The continuing problem is that certain software breaks the rules about writing personalised data to the Program Files directory or to HKEY_LOCAL_MACHINE in the registry. See for more on using a LUA.

  2. Go cash in advance loan cash loan payday till