When it comes to minimizing the potential for malicious software running in a virtual machine to affect your physical computer, there are two golden rules to follow:
- Secure the virtual machine just like you would a physical computer. This means installing antivirus / anti-malware software, configuring firewalls, regularly installing updates, etc…
- Reduce the potential paths for the virtual machine to access your physical computer.
In the latter category there are three common paths:
- Standard networking. Here the risk is no greater (or lesser) than if you had a separate computer connected to the same network.
- Clipboard sharing. When integration components are enabled, any data that is put into the virtual machines clipboard is automatically copied to the physical computers clipboard (and vice versa). The potential for risk here is relatively low – but if it is a concern for you – you can easily disable this feature under the virtual machine settings.
- Shared Drives. Shared drives allow the virtual machine to access the drives of the physical computer – without needing a network connection to be present. This functionality is critical for most people who use Virtual PC – but it is also an obvious path for malicious software to get to data on the physical computer from inside the virtual machine. As such I would like to spend some time talking about how to restrict this functionality appropriately.
The first thing to know is that you can configure drive sharing so that only specific drives are shared:
You should always make sure that this setting is configured appropriately for your environment.
But what if you do not want to share and entire drive? What if you just want to share a single folder?
Well, I have found a handy method to do just this. It is a little cheesy, but it allows you to drastically reduce the surface area that is exposed. Basically – what you need to do is to create the folder that you want to share, open a command prompt, and run the following command:
subst j: c:\MySharedFolder
This creates a “virtual” drive that points to the folder you created (in this case I am mapping “C:\MySharedFolder” to J: – but obviously you can use any drive letter or folder that you want to use). You can then map this drive into the virtual machine: