Virtualization: Secure Virtual User Environments in VMware ACE

Installation and Setup of Virtual Environments in VMware ACE

After you install VMware Workstation 6 in the host operating system, you should enter the license key to unlock VMware ACE. Restart the product. You will see a new VMware ACE window, where you can still create regular virtual machines. In order to create a new virtual secure ACE environment, choose New->ACE Master in the File menu. You will see the following window:

Creating an secure ACE Master environment

Then you should specify the same settings as in VMware Workstation. But a virtual machine cannot use a physical hard disk directly. Virtual environments use NAT (Network Address Translation) as the safest option by default. So secure virtual machines can connect to an external network, while other computers in the external network cannot connect to them. After a virtual machine is created, you should install a guest OS and VMware Tools. Then you can get busy with environment policies. Just choose Edit policies in the main window.

VMware ACE. Main window.

You will see the following window:

Configuring policies for ACE environments

You can control various parameters of access policies and environment security in the following aspects:

- Access Control
You can protect a virtual machine from activation. If you set a password, users can get access to a package with a virtual machine only after entering the password. On the Authentication panel, you can specify users who can turn a virtual machine on. You can also specify a key to restore a password, and create your own authentication script, which will specify access rights for Linux and Windows host platforms in VMware ACE Player.

- Host-Guest Data Script
You can choose a script to be executed in host and guest operating systems, when a virtual machine starts up. It's convenient, when you need to use resources shared between host and guest systems.

- Expiration
Here you can specify expiration time of a virtual machine. You can also add a message to display several days prior to the expiration date and a message after the expiration date.

- Copy protection
You can protect an environment from copying on this tabbed page. That's how it works: CPID (Copy Protection Identifier) is generated from the path to the folder with a virtual machine and ID BIOS of the host system. If you use Pocket ACE for portable storage drives, file system ID is used instead of BIOS ID. If copy protection is enabled, a virtual machine runs only on a certain host platform and cannot be copied. CPID is stored on ACE Management Server and can be modified by a system administrator.

- Resource Signing
You can specify here whether a virtual environment can be started, if files in the ACE Resources folder are damaged. This folder holds scripts, user licenses, and some files, which integrity is critical for the correct operation of a virtual machine. If you distribute software with VMware ACE, you may find this policy quite useful.

- Network Access
Network access policies determine how a virtual machine uses network resources of the host system. You can configure a firewall, specify sub-networks for a virtual machine, etc. ACE Management Server can disable or limit network access for a virtual environment, for example in case of a virus threat.

- Removable Devices and USB Devices
Here you can limit access to physical devices from a virtual machine, including USB devices. These features are necessary to prevent data theft from user environments.

- Virtual Printer
This option allows applications in a guest system to print documents on a printer, installed in a host system, without installing any drivers. A virtual printer is connected to an emulated serial port, you can see it on the Hardware tabbed page in the Settings menu of a virtual machine.

- Runtime Preferences
Here you can choose some of the virtual machine's options, such as full-screen only, resize the allocated memory size, and change behavior of the virtual machine as you shut it down (for example, to go to Suspend mode - it's similar to Hibernate).

- Snapshots
Here you can configure the program to take automatic snapshots of the system, so that users could roll back to them, if a system is damaged.

- Administrator mode
This policy allows to set a password for administrative access to settings of a virtual machine, which can be modified on client computers using GUI as well as vmware-acetool.

- Hot Fix
This policy allows users of secure environments to ask a system administrator for help, if...

• they lost the password
• a virtual machine expired
• they use a copy-protected virtual machine