2

I'm thinking of running Windows 7 on a virtual machine on VirtualBox on top of Linux, so that Windows is sort of a "self-contained sandbox" (especially in terms of data storage) for things that require Windows to run.

However, I've heard that running a VirtualBox VM may have some security or stability implications for the host system. What sort of things could the Windows system in a VM do that would mess up the Linux system it runs on?

slm
  • 369,824
Joe Z.
  • 123
  • I've heard stability issues (as VirtualBox adds some kernel drivers); I'm not aware of security issues to the underlying OS (but presumably, those kernel drivers are another possible attack vector). This question may be better suited to the Information Security stack. – Elliott Frisch Apr 16 '14 at 19:07
  • Well, to be honest it's more intended to be asking for general advice about running Windows 7 on a Linux VM, as 99% of people tend to do it the other way around. – Joe Z. Apr 16 '14 at 19:09
  • You could run those softwares as a common user with wine depending on how compatible they are with it.

    Some of the security concerns about virtualization are the "escapes" that some processor instruction could create or any bug on those hypervisors that could lead to a virtualized machine gain access to a physical host. http://www.kb.cert.org/vuls/id/649219

     –  Apr 16 '14 at 20:05
  • @JoeZ.: I must admit I don't know any reason to do it the other way round. I'd be curious where you base your claim about 99% of people. – Pavel Šimerda Apr 16 '14 at 20:17
  • Hmm, it was based on a cursory scan of the Google results for "run Windows 7 on a Linux VM", which was returning results for the other way around instead when I tried looking at it. But on second look, the results are mostly for actually running Windows 7 on a Linux VM. – Joe Z. Apr 16 '14 at 21:13

1 Answers1

5

If you squint, VM security looks a lot like LAN host security. It's just another machine on the network, with the same sort of attendant risks. If you would willingly put a Windows 7 host on the LAN, you shouldn't be especially worried about putting a Windows 7 VM on the VM host.

It is possible to lock a VM down to the point where it is less dangerous to LAN hosts (including the VM host OS) than a separate box connected to the LAN. You can set up host-only networking, for example, so that the VM can only talk to network servers running on the host OS. Or, set it up without any networking at all. That is useful in test environments, where the VM doesn't need to access outside resources. This does make applying security patches harder, but if you only need the VM for testing software compatibility, it could be just the thing.

Desktop VM host systems like VirtualBox have increasing amounts of convenience features enabled by default, especially for Windows and OS X guests. They will do things like share the host user's Downloads, Desktop, and Documents folders with the VM. If you're concerned that the Windows 7 VM might get infected with a network-destructive virus, you should think about turning these features off, since they appear to the Windows guest as a network-shared drive.

Think through the risks. A shared Downloads folder may actually increase security if you keep it mostly empty, and use it instead of allowing the VM network access. You could download new software and security patches on the host to the Downloads folder, switch into the VM, install it, and delete the file.

Short of such automatic sharing, though, VMs are not especially worrisome tech from a security standpoint. If anything, they're a net positive.

Warren Young
  • 72,032
  • Thanks. The automatic file-sharing shouldn't be a problem. That's all I needed to know. – Joe Z. Apr 16 '14 at 21:07
  • To be honest, I'm really more worried about encapsulating the data layout that Windows 7 requires, because having things on an outside partition really makes things messy for any other systems that might want to reside on the computer. – Joe Z. Apr 19 '14 at 01:27
  • @JoeZ.: Who says you need to use a partition? A VDI file offers just as much encapsulation. The VM can't write to any part of the host file system other than the virtual HDD file, short of a network share. – Warren Young Apr 19 '14 at 06:09
  • What I mean is, that's what I'm using a VDI file for. Having things on an outside partition is what makes things messier. By "worried about encapsulating the data layout", I meant that's why I pursued the option of having Windows 7 on a VM in the first place. – Joe Z. Apr 19 '14 at 14:15
  • Ah, I see. When you say "worried," you're not worried in a security sense; you are motivated to avoid HDD partitions for organizational reasons. However, realize that some VM systems will let you assign a physical hard disk partition to a particular VM. (Not VirtualBox, apparently.) The only reason I can think of to do that is to remove any risk of double fragmentation. As long as you store the VDI file on a modern filesystem that inherently avoids fragmentation, even that reason goes away. – Warren Young Apr 19 '14 at 14:45
  • Would ext4 be suitable for that? – Joe Z. Apr 19 '14 at 14:58
  • 1
    @JoeZ. If only there was a place you could ask questions like this... – Warren Young Apr 19 '14 at 17:35
  • Haha, point taken. – Joe Z. Apr 20 '14 at 00:33