Protect VMware Workstation shared VMs with custom access settings

When multiple users share VM access, the VMware administrator should consider restricting VM configuration and update abilities. This prevents accidental or malicious changes and is easy to set up in VMware Workstation.

Restricting configuration access in VMware Workstation shared VMs is useful

    Requires Free Membership to View

in classrooms where students might modify virtual machine configurations and in kiosks where VM-USB connections could introduce a virus or other malware.

Learn more about virtualization for kiosks

Publish non-persistent virtual desktop pools

Determine VM per core needs

Is there a better way than kiosks?

Encryption, which makes all of a VM's content inaccessible without a password, is one option to control VM access in Workstation. Where VM encryption is an all-or-nothing solution, a restricted virtual machine can be modified by applying a policy to it. This VM protection policy opens the door for exceptions. You might, for instance, disable the option to modify VM hardware, but make an exception for attaching and removing USB devices.

Encryption protects a VM at startup, but restriction allows users to perform necessary tasks while ensuring that they are unable to access the virtual machine configuration. Restricted VMs password-protect against an unauthorized upgrade to a newer version of VMware software, settings changes or modifications to the hardware configuration.

How to restrict VMware Workstation shared VMs

Control VM restrictions via "Edit virtual machine settings" in Workstation's main interface. Under the Options tab, you'll see "Access Control," with all options disabled (Figure 1).

Figure 1. The VMware Workstation Access Control link is how you'll change the encryption and restriction options for a VM.

When you select "Enable Restrictions," you can apply two additional VM protection policy settings. The option to allow USB devices to connect to the VM is on by default. There are several scenarios in which you would want to disable VM-USB connections -- for instance, on VMs that contain valuable information. By allowing USB devices to connect with the VM, you allow the VM's user to copy content from it. The USB connection option exposes the VM to the risk of malware and viruses. To mitigate these risks, disable this option unless it is needed.

The other policy setting for restricted virtual machines is the option that requires a user to change the password. This option is off by default. If it is selected, a user that moves or copies the VM will have to first set a new restriction password. This option is useful if you want to share a VM with peers, but it is typically not helpful in a classroom environment, where users could set their own restriction passwords and then make VM modifications at will.

Just as with encrypting VMs, there are risks to setting restrictions on VMware Workstation shared VMs. What happens if you lose the password? Restricted VMs can never be modified again.

This was first published in January 2013

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.