VDI Security - Securing VM Storage Devices
By default, new VHD files in the Public profile are stored in the %users% \Public\Documents\Hyper-V\Virtual Hard Disks directory. You can change the default storage location for VHDs by selecting Hyper-V Settings in the Hyper-V Manager. If you specify a different storage location, assign permissions as follows for the new folder:
Table: Permission Settings for VHD Storage Folder
Names |
Permissions |
Apply to |
|---|---|---|
Administrators System |
Full Control |
This folder, subfolders, and files |
Creator Owner |
Full Control |
Subfolders and files only |
Interactive Service Batch |
Create files/write data Create folders/append data Delete Delete subfolders and files Read attributes Read extended attributes Read permissions Write attributes Write extended attributes |
This folder, subfolders, and files |
To simplify management, you might want to store all of the VFD and ISO files in separate folders on the same logical volume as the VHDs. For example, a typical folder structure might be:
· W:\Virtualization Resources\Virtual Machines
· W:\Virtualization Resources\Virtual Hard Disks
· W:\Virtualization Resources\Virtual Floppy Disks
· W:\Virtualization Resources\ISO files
When installing antivirus software in the management operating system, configure any real-time scanning components to exclude the directories where virtual machine files are stored, as well as the program files vmms.exe and vmwp.exe in C:\Windows\System32. If you do not create these exclusion rules, you might encounter errors when creating and starting virtual machines.
For detailed information refer to Hyper-V Security Guide