When multiple users share VM access, the VMware administrator should consider restricting VM configuration and update abilities. This prevents accidental or malicious changes and is easy to set up in VMware Workstation.
Restricting configuration access in VMware Workstation shared VMs is useful in classrooms where students might modify virtual machine configurations and in kiosks where VM-USB connections could introduce a virus or other malware.
Learn more about virtualization for kiosks
Determine VM per core needs
Is there a better way than kiosks?
Encryption, which makes all of a VM's content inaccessible without a password, is one option to control VM access in Workstation. Where VM encryption is an all-or-nothing solution, a restricted virtual machine can be modified by applying a policy to it. This VM protection policy opens the door for exceptions. You might, for instance, disable the option to modify VM hardware, but make an exception for attaching and removing USB devices.
Encryption protects a VM at startup, but restriction allows users to perform necessary tasks while ensuring that they are unable to access the virtual machine configuration. Restricted VMs password-protect against an unauthorized upgrade to a newer version of VMware software, settings changes or modifications to the hardware configuration.
How to restrict VMware Workstation shared VMs
Control VM restrictions via "Edit virtual machine settings" in Workstation's main interface. Under the Options tab, you'll see "Access Control," with all options disabled (Figure 1).
When you select "Enable Restrictions," you can apply two additional VM protection policy settings. The option to allow USB devices to connect to the VM is on by default. There are several scenarios in which you would want to disable VM-USB connections -- for instance, on VMs that contain valuable information. By allowing USB devices to connect with the VM, you allow the VM's user to copy content from it. The USB connection option exposes the VM to the risk of malware and viruses. To mitigate these risks, disable this option unless it is needed.
The other policy setting for restricted virtual machines is the option that requires a user to change the password. This option is off by default. If it is selected, a user that moves or copies the VM will have to first set a new restriction password. This option is useful if you want to share a VM with peers, but it is typically not helpful in a classroom environment, where users could set their own restriction passwords and then make VM modifications at will.
Just as with encrypting VMs, there are risks to setting restrictions on VMware Workstation shared VMs. What happens if you lose the password? Restricted VMs can never be modified again.