Configuring virtual disk security
Configuring virtual disk security
In addition to securing the folders in which the various Virtual Server files are located (as described in Securing Virtual Server), you can also configure security on the individual files themselves. Securing the files individually is not necessary unless you want want to define access permissions more precisely than at the folder level.
Permissions for virtual disks
To allow or deny permissions for users to copy, move, delete, or write data to virtual hard disk (.vhd) and virtual floppy disk (.vfd) files, you can modify the files' discretionary access control lists (DACLs). If you create a virtual hard disk for a virtual machine when you create a virtual machine, the .vhd file is located in the virtual machine configuration folder, in C:\Documents and Settings\All Users\Documents\Shared Virtual Machines by default. Otherwise, both .vhd and .vfd files are stored in the location specified when they were created.
Note
There is no option for configuring these settings in the Administration Website; you can configure them in the file system only.
The following table lists the permissions that you can configure on a virtual hard disk or virtual floppy disk file.
| Permission | Use to grant or deny this ability |
|---|---|
Read |
Read from the virtual disk. |
Create Files/Write Data |
Write data to this virtual disk. |
Delete |
Delete the virtual disk file. |
Read Permissions |
Read permissions on the virtual disk file. |
Change Permissions |
Change permissions on the virtual disk file. |
In addition to these permissions, the user must have the List Folder permission on the folder containing the .vhd or .vfd file. Without this permission, the user will not be able to access the file from the Administration Website.
Note
If you want to share a virtual floppy disk (.vfd file) between virtual machines, the .vfd file must be configured as read-only. For a physical floppy disk, the first virtual machine to detect the physical disk will be the only virtual machine that can use that disk.
Permissions for ISO files
To grant or deny permissions for users to copy, move, delete, or write data to CD or DVD ISO 9660 image files, you can modify the DACLs on these files.
Note
There is no option for configuring these settings in the Administration Website; you can configure them in the file system only.
The following table lists the permissions that you can configure on a CD or DVD ISO file.
| Permission | Use to grant or deny this ability |
|---|---|
Read |
Read from the ISO file. |
Delete |
Delete the ISO file. |
Read Permissions |
Read permissions on the ISO file. |
Change Permissions |
Change permissions on the ISO file. |
In addition to these permissions, the user must have the List Folder permission on the folder containing the ISO file. Without this permission, the user will not be able to access the file from the Administration Website.
Note
Virtual Server supports ISO 9660 images, the International Organization for Standardization format, of a CD or DVD. You can use these images to perform the same operations as physical media, such as installing an operating system. There are a variety of non-Microsoft tools available for creating CD images.
You can also configure the security of the Virtual Server global options file (Options.xml), the virtual machine configuration (.vmc) files, and the virtual network configuration (.vnc) files. For more information, see Configuring Virtual Server security settings and Configuring virtual machine security.