client OS security under Virtual PC 2007

  • Thread starter Thread starter dave o.
  • Start date Start date
D

dave o.

Guest
I have a number of legacy applications that run best on their original OS's
(Windows 98 and Windows NT 4). Since neither of these OS's are currently
supported with security patches, etc., and the applications require minimal
network access, I would like to know whether there is any kind of 'umbrella'
security provided by the host OS? Assuming, of course, that the host has
current patches, and up to date AV/malware software.
 
Update them as best you can... Since you have a firewall and antivius on
your computer it should scan most of the incoming information. However for
the virtual machine i would say put a full security suit on it! There is
really nothing you can do..... They are they best ways out!

--

http://www.goldwatches.com/
"dave o." <me@mymail.com> wrote in message
news:745F7942-1879-41DC-8903-E8527B5615F5@microsoft.com...
>I have a number of legacy applications that run best on their original OS's
> (Windows 98 and Windows NT 4). Since neither of these OS's are currently
> supported with security patches, etc., and the applications require
> minimal
> network access, I would like to know whether there is any kind of
> 'umbrella'
> security provided by the host OS? Assuming, of course, that the host has
> current patches, and up to date AV/malware software.
 
dave o. wrote:
> I have a number of legacy applications that run best on their original OS's
> (Windows 98 and Windows NT 4). Since neither of these OS's are currently
> supported with security patches, etc., and the applications require minimal
> network access, I would like to know whether there is any kind of 'umbrella'
> security provided by the host OS? Assuming, of course, that the host has
> current patches, and up to date AV/malware software.

No, there is no "umbrella" protection. The operating systems running in
virtual machines are real operating systems and if they are connected to
the Internet, they are at risk. They are self-contained and separate
from the host OS. You need an antivirus and a firewall on any Windows
operating system. If you allow the Windows operating systems installed
in VMs to be on your Local Area Network with file/printer sharing
enabled, your other Windows machines are at risk also - exactly the same
as if you weren't running in a virtual machine but had an actual
physical computer.

You can get around this by not allowing your older operating systems to
access the Internet and/or your LAN. If you need these functions, you
need to provide adequate protection.


Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User
 
One more thing. Suppose that your legacy OS virtuals were allowed
no network, not minimal but no network access. In that case the virtuals
are potentially less safe than if they were running on physical hardware
without network. As far as I have been made aware, there is no exploit
in the wild that attacks the host OS from a virtual, or other virtuals on
the same host for that matter, but there is code being seen in the wild that
does make the effort to detect whether it is in a virtual or not. Also, in
principal it is not impossible for code to work its way to the host from
a virtual, and that is even without a host provided virtual network or
share environment. So, today there is the appearance of a shielding
'umbrella' but in fact it seems that this is just a statement about today
rather than about the technology.

Roger

"dave o." <me@mymail.com> wrote in message
news:745F7942-1879-41DC-8903-E8527B5615F5@microsoft.com...
>I have a number of legacy applications that run best on their original OS's
> (Windows 98 and Windows NT 4). Since neither of these OS's are currently
> supported with security patches, etc., and the applications require
> minimal
> network access, I would like to know whether there is any kind of
> 'umbrella'
> security provided by the host OS? Assuming, of course, that the host has
> current patches, and up to date AV/malware software.
 
Yet one more thing. With virtual infrastructure you can make snaphots and
reverse guests easily to "known good" state, eliminating accumulated...
issues. Perfect for honeypots, useful for business systems.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"dave o." <me@mymail.com> wrote in message
news:745F7942-1879-41DC-8903-E8527B5615F5@microsoft.com...
>I have a number of legacy applications that run best on their original OS's
> (Windows 98 and Windows NT 4). Since neither of these OS's are currently
> supported with security patches, etc., and the applications require
> minimal
> network access, I would like to know whether there is any kind of
> 'umbrella'
> security provided by the host OS? Assuming, of course, that the host has
> current patches, and up to date AV/malware software.
 
"S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message
news:eg7lubm1HHA.1208@TK2MSFTNGP03.phx.gbl...
> Yet one more thing. With virtual infrastructure you can make snaphots and
> reverse guests easily to "known good" state, eliminating accumulated...
> issues. Perfect for honeypots, useful for business systems.
>

and a little footnote . . .
"useful for business systems" particularly if you can isolate the
persisted data/state of the applicative systems (the purpose of
the business systems) so that the OS vitual and the application
state can be independently safeguarded and independently reset
to point in time (not as simple as it sounds, of course).

> "dave o." <me@mymail.com> wrote in message
> news:745F7942-1879-41DC-8903-E8527B5615F5@microsoft.com...
>>I have a number of legacy applications that run best on their original
>>OS's
>> (Windows 98 and Windows NT 4). Since neither of these OS's are currently
>> supported with security patches, etc., and the applications require
>> minimal
>> network access, I would like to know whether there is any kind of
>> 'umbrella'
>> security provided by the host OS? Assuming, of course, that the host has
>> current patches, and up to date AV/malware software.
>
>
 
Thanks to all for your insight. You have confirmed what i had suspected, but
hadn't been able to find information about. WIndows 98 doesn't have a lot of
support in the antivirus community anymore (at least not from our corporate
vendor). There also doesn't seem to be a lot of comprehensive information
about the Microsoft VM's available, (I haven't found the VM's for Dummies
book yet) so I'm glad the I found this discussion group. One follow up, if I
isolate the guest OS from the network, is there a mechanism to set up a
shared file area between the guest and host? Would probably have to be FAT32
for access by the Windows 98 guest.


"Roger Abell [MVP]" wrote:

> "S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message
> news:eg7lubm1HHA.1208@TK2MSFTNGP03.phx.gbl...
> > Yet one more thing. With virtual infrastructure you can make snaphots and
> > reverse guests easily to "known good" state, eliminating accumulated...
> > issues. Perfect for honeypots, useful for business systems.
> >
>
> and a little footnote . . .
> "useful for business systems" particularly if you can isolate the
> persisted data/state of the applicative systems (the purpose of
> the business systems) so that the OS vitual and the application
> state can be independently safeguarded and independently reset
> to point in time (not as simple as it sounds, of course).
>
> > "dave o." <me@mymail.com> wrote in message
> > news:745F7942-1879-41DC-8903-E8527B5615F5@microsoft.com...
> >>I have a number of legacy applications that run best on their original
> >>OS's
> >> (Windows 98 and Windows NT 4). Since neither of these OS's are currently
> >> supported with security patches, etc., and the applications require
> >> minimal
> >> network access, I would like to know whether there is any kind of
> >> 'umbrella'
> >> security provided by the host OS? Assuming, of course, that the host has
> >> current patches, and up to date AV/malware software.
> >
> >
>
>
>
 
My comments about VM sandboxing (or potential lack of) was not
limited to a specific virtualizing product, and also did not give full
credit to the potential of virtualizing processors to contain things.

Isolating from the network and sharing with the host is not isolating
from the network (unless the host is so isolated).

Most of the VM products facilitate (better and worse) attaching
storage / accessing shares. Just how depends on product and
version. I have not been using VPC, rather VMWare products
and VS05r2.

Depending on what is done on the out-of-support OSs use of a
non-bridged network interface that has to NAT under host OS
control can give you some measure of screening (ex. IPsec control
on the NAT'd off-box IP) if you want to get into RRAS in server

Roger

"dave o." <me@mymail.com> wrote in message
news:CA74890A-CD41-4DF0-B926-D4ABA215E131@microsoft.com...
> Thanks to all for your insight. You have confirmed what i had suspected,
> but
> hadn't been able to find information about. WIndows 98 doesn't have a lot
> of
> support in the antivirus community anymore (at least not from our
> corporate
> vendor). There also doesn't seem to be a lot of comprehensive information
> about the Microsoft VM's available, (I haven't found the VM's for Dummies
> book yet) so I'm glad the I found this discussion group. One follow up,
> if I
> isolate the guest OS from the network, is there a mechanism to set up a
> shared file area between the guest and host? Would probably have to be
> FAT32
> for access by the Windows 98 guest.
>
>
> "Roger Abell [MVP]" wrote:
>
>> "S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message
>> news:eg7lubm1HHA.1208@TK2MSFTNGP03.phx.gbl...
>> > Yet one more thing. With virtual infrastructure you can make snaphots
>> > and
>> > reverse guests easily to "known good" state, eliminating accumulated...
>> > issues. Perfect for honeypots, useful for business systems.
>> >
>>
>> and a little footnote . . .
>> "useful for business systems" particularly if you can isolate the
>> persisted data/state of the applicative systems (the purpose of
>> the business systems) so that the OS vitual and the application
>> state can be independently safeguarded and independently reset
>> to point in time (not as simple as it sounds, of course).
>>
>> > "dave o." <me@mymail.com> wrote in message
>> > news:745F7942-1879-41DC-8903-E8527B5615F5@microsoft.com...
>> >>I have a number of legacy applications that run best on their original
>> >>OS's
>> >> (Windows 98 and Windows NT 4). Since neither of these OS's are
>> >> currently
>> >> supported with security patches, etc., and the applications require
>> >> minimal
>> >> network access, I would like to know whether there is any kind of
>> >> 'umbrella'
>> >> security provided by the host OS? Assuming, of course, that the host
>> >> has
>> >> current patches, and up to date AV/malware software.
>> >
>> >
>>
>>
>>
 
You must log in or register to reply here.
Back
Top