Vista - Special windows account for VirtualPC

08-03-2008

It is about win xp pro sp3, connected to LAN.
In LAN a DSL-Router as central point with USB external drive,
some Vista WLAN client,
and sometimes some other WLAN clients.

The win xp computer should get special account for usage
by our guests. Account with limited permissions, non-admin.

This account should be allowed only to
- run VirtualPC 2007 Virtual Machine created for this user
- use this virtual machine
- access from virt. machine the host's optical drives
- access from virt. machine the flash cards reader and digital cameras
connected to host
- access the external drive connected to router
- close the virtual machine sessions
- log off from host account
- shut-down the host windows

So before setting up the OS on virtual machine,
the first natural step is to configure permissions and restrictions
for the host special account. Installation and setup of
OS on virtual machine is planned not until the
host configuration is completed.

Security policies or similar (group policies) don't seem
to be the optimal way for this network setup.
Getting familiarized with this technique is time consuming.
There are plenty of help documentations but none
of them I have read presents the conceptual basics well.

So I searched for alternatives and found the Microsoft's
SteadyState. Also in this case it doesn't seem to be
pretty simple and quick in setup.

See the chapter "Optimize the PC before installing":
Maintain user privacy
- Delete files in My Documents folder and any other personal files on
the disk
- Clear the Internet History folder and any other history caches you
might have
- Clear temporary folders and delete temporary files

Do these recommendations it apply for all host's accounts or that one
only to be secured by SteadyState ?

See the chapter "Optimize performance":
- Uninstall software that will not be used by any user
There is some other account on the host used by its owner
for regular work. All installed software is in use.

See the chapter "Optimize performance":
- Defragment system drives to help ensure the computer is as fast as
possible. Note: Defragmentation is a critical step before using Windows
Disk Protection.
In my back-up process creation of complete image (no differential, no
incremental) is necessary after this step - time consuming.

What solution would you recommend for securing this special
host account ?
What are your experiences with MS SteadyState regarding
setup and management overhead ?

08-03-2008

The goal is to limit access to the host's resources
as wide as possible, except for those needed for
achieving targets listed in the thread start-up message.

08-03-2008

It is about a private PC.
Used mainly by the owner for regular tasks.

Asked questions apply to a special account
to be used by quests. Guests don't use this
PC as often/intensive as the owner.

08-03-2008

It is desired that the host PC does automatically the system shutdown
as soon as the Guest user closes the virtual machine.

08-03-2008

On Sun, 03 Aug 2008 16:28:58 +0200, kakii <user@xxxxxx> wrote:

Quote:

>
>The goal is to limit access to the host's resources
>as wide as possible, except for those needed for
>achieving targets listed in the thread start-up message.

Run your guests as vm's under virtual server 2005 then.
Make them start with the host system and keep the host out of reach
for the people using the guests. You can lock away the host in a
cupboard.

Instead let them connect to the guests from a different XP PC on the
network using Remote Desktop. THis XP PC you can have full control
over in terms of what is available on it since it just serves as a RDP
client.
This also has the advantage of allowing full screen mode without
taxing the host system too much. Especially if you want full screen at
higher resolutions...

--
Bo Berglund

08-03-2008

Guests are using this PC for following purposes
- Accessing internet (web, mail clients, communicator like skype)
- connecting digital cameras and/or flash cards, presenting the photos
- burning data to optical media

All above tasks to be carried out on virtual machine

08-03-2008

>- burning data to optical media

If it's optical media on the local PC, neither VPC, nor Virtual
Server, can do this.

--
Bob Comer <Microsoft MVP Windows - Virtual Machine>

On Sun, 03 Aug 2008 17:44:39 +0200, kakii <user@xxxxxx> wrote:

Quote:

>
>Guests are using this PC for following purposes
>- Accessing internet (web, mail clients, communicator like skype)
>- connecting digital cameras and/or flash cards, presenting the photos
>- burning data to optical media
>
>All above tasks to be carried out on virtual machine

08-03-2008

On Sun, 03 Aug 2008 17:44:39 +0200, kakii <user@xxxxxx> wrote:

Quote:

>
>Guests are using this PC for following purposes
>- Accessing internet (web, mail clients, communicator like skype)

Can be done

Quote:

>- connecting digital cameras and/or flash cards, presenting the photos

Not possible

Quote:

>- burning data to optical media

Not possible

Quote:

>
>All above tasks to be carried out on virtual machine

You're out of luck... :-(

--
Bo Berglund

08-03-2008

Bo Berglund wrote:

Quote:

> On Sun, 03 Aug 2008 17:44:39 +0200, kakii <user@xxxxxx> wrote:
>

Quote:

>> Guests are using this PC for following purposes
>> - Accessing internet (web, mail clients, communicator like skype)

> Can be done

Quote:

>> - connecting digital cameras and/or flash cards, presenting the photos

> Not possible

Quote:

>> - burning data to optical media

> Not possible

Quote:

>> All above tasks to be carried out on virtual machine

> You're out of luck... :-(
>

VirtualPC 2007 help says following
"Using other removable devices
You can access removable drives on the host operating system, such as
USB–connected hard drives and Zip drives, by using shared folders. For
more information about setting up shared folders for use between a host
operating system and a virtual machine, see Managing shared folders for
virtual machines."

Two another topics - you are right, not possible.

08-03-2008	#1 (permalink)
kakii n/a posts	Special windows account for VirtualPC It is about win xp pro sp3, connected to LAN. In LAN a DSL-Router as central point with USB external drive, some Vista WLAN client, and sometimes some other WLAN clients. The win xp computer should get special account for usage by our guests. Account with limited permissions, non-admin. This account should be allowed only to - run VirtualPC 2007 Virtual Machine created for this user - use this virtual machine - access from virt. machine the host's optical drives - access from virt. machine the flash cards reader and digital cameras connected to host - access the external drive connected to router - close the virtual machine sessions - log off from host account - shut-down the host windows So before setting up the OS on virtual machine, the first natural step is to configure permissions and restrictions for the host special account. Installation and setup of OS on virtual machine is planned not until the host configuration is completed. Security policies or similar (group policies) don't seem to be the optimal way for this network setup. Getting familiarized with this technique is time consuming. There are plenty of help documentations but none of them I have read presents the conceptual basics well. So I searched for alternatives and found the Microsoft's SteadyState. Also in this case it doesn't seem to be pretty simple and quick in setup. See the chapter "Optimize the PC before installing": Maintain user privacy - Delete files in My Documents folder and any other personal files on the disk - Clear the Internet History folder and any other history caches you might have - Clear temporary folders and delete temporary files Do these recommendations it apply for all host's accounts or that one only to be secured by SteadyState ? See the chapter "Optimize performance": - Uninstall software that will not be used by any user There is some other account on the host used by its owner for regular work. All installed software is in use. See the chapter "Optimize performance": - Defragment system drives to help ensure the computer is as fast as possible. Note: Defragmentation is a critical step before using Windows Disk Protection. In my back-up process creation of complete image (no differential, no incremental) is necessary after this step - time consuming. What solution would you recommend for securing this special host account ? What are your experiences with MS SteadyState regarding setup and management overhead ?
My System Specs

08-03-2008	#2 (permalink)
kakii n/a posts	Re: Special windows account for VirtualPC The goal is to limit access to the host's resources as wide as possible, except for those needed for achieving targets listed in the thread start-up message.
My System Specs

08-03-2008	#3 (permalink)
kakii n/a posts	Update: Special windows account for VirtualPC It is about a private PC. Used mainly by the owner for regular tasks. Asked questions apply to a special account to be used by quests. Guests don't use this PC as often/intensive as the owner.
My System Specs

08-03-2008	#4 (permalink)
kakii n/a posts	Update: requirements It is desired that the host PC does automatically the system shutdown as soon as the Guest user closes the virtual machine.
My System Specs

08-03-2008	#5 (permalink)
Bo Berglund n/a posts	Re: Special windows account for VirtualPC On Sun, 03 Aug 2008 16:28:58 +0200, kakii <user@xxxxxx> wrote: Quote: > >The goal is to limit access to the host's resources >as wide as possible, except for those needed for >achieving targets listed in the thread start-up message. Run your guests as vm's under virtual server 2005 then. Make them start with the host system and keep the host out of reach for the people using the guests. You can lock away the host in a cupboard. Instead let them connect to the guests from a different XP PC on the network using Remote Desktop. THis XP PC you can have full control over in terms of what is available on it since it just serves as a RDP client. This also has the advantage of allowing full screen mode without taxing the host system too much. Especially if you want full screen at higher resolutions... -- Bo Berglund
My System Specs

08-03-2008	#6 (permalink)
kakii n/a posts	Update: requirements Guests are using this PC for following purposes - Accessing internet (web, mail clients, communicator like skype) - connecting digital cameras and/or flash cards, presenting the photos - burning data to optical media All above tasks to be carried out on virtual machine
My System Specs

08-03-2008	#7 (permalink)
Robert Comer n/a posts	Re: Update: requirements >- burning data to optical media If it's optical media on the local PC, neither VPC, nor Virtual Server, can do this. -- Bob Comer <Microsoft MVP Windows - Virtual Machine> On Sun, 03 Aug 2008 17:44:39 +0200, kakii <user@xxxxxx> wrote: Quote: > >Guests are using this PC for following purposes >- Accessing internet (web, mail clients, communicator like skype) >- connecting digital cameras and/or flash cards, presenting the photos >- burning data to optical media > >All above tasks to be carried out on virtual machine
My System Specs

08-03-2008	#8 (permalink)
Bo Berglund n/a posts	Re: Update: requirements On Sun, 03 Aug 2008 17:44:39 +0200, kakii <user@xxxxxx> wrote: Quote: > >Guests are using this PC for following purposes >- Accessing internet (web, mail clients, communicator like skype) Can be done Quote: >- connecting digital cameras and/or flash cards, presenting the photos Not possible Quote: >- burning data to optical media Not possible Quote: > >All above tasks to be carried out on virtual machine You're out of luck... :-( -- Bo Berglund
My System Specs

08-03-2008	#9 (permalink)
kakii n/a posts	Re: Update: requirements Bo Berglund wrote: Quote: > On Sun, 03 Aug 2008 17:44:39 +0200, kakii <user@xxxxxx> wrote: > Quote: >> Guests are using this PC for following purposes >> - Accessing internet (web, mail clients, communicator like skype) > Can be done Quote: >> - connecting digital cameras and/or flash cards, presenting the photos > Not possible Quote: >> - burning data to optical media > Not possible Quote: >> All above tasks to be carried out on virtual machine > You're out of luck... :-( > VirtualPC 2007 help says following "Using other removable devices You can access removable drives on the host operating system, such as USB–connected hard drives and Zip drives, by using shared folders. For more information about setting up shared folders for use between a host operating system and a virtual machine, see Managing shared folders for virtual machines." Two another topics - you are right, not possible.
My System Specs

Similar Threads
Thread	Forum
Windows mail paste special	Vista mail
VirtualPC Has No Network Connectivity in Windows 7	Virtual PC
Windows Remote Desktop - Special Characters	Vista networking & sharing
Not able to type special characters like @, #, $ % in windows Vist	Vista hardware & devices
Windows Live One Care Special Offer	Vista installation & setup