Enabling Network Access
Virtual PC provides two options for enabling network access via the host machine's network adapter, using either the host network adapter itself or shared networking. These options are the last two in the dropdown list of networking options in the Virtual PC settings (see Figure 3
). The second from the last option (using the host network adapter) is different on every machine because it is the description of the network adapter on the physical host machine.
|Figure 3. Networking Options for Host Machine's Network Adapter|
Enabling the host's network adapter causes the guest machine to appear on the network as a separate machine with its own IP address. From a networking perspective, the guest functions the same way as a physical machine equipped with a network adapter. This is typically fine for a home network, but may not work in a corporate environment with a Windows domain because unless the guest machine joins the domain, it will not be authorized and may not be able to use the network. (Note: wireless networking and dialup do not work with a host network adapter.)
The other option to enable network access is Shared networking (NAT), which is referred to simply as NAT in VMware Workstation. With Shared networking enabled, Virtual PC serves as a NAT router that uses the host's IP address to access the network. Since all network access is routed through the host, you can establish network access in a tightly controlled domain. If the host is authorized to use the network, then Shared networking uses the host to connect to the network and then to the Internet. If multiple network adapters are available, you can configure Shared networking only on the first one. A guest using Shared networking cannot communicate with other guest machines on the same host. (Note: wireless networking and dialup do work with Shared networking.)
Regardless of which networking option you choose, if Windows Firewall is enabled only on the host, it will not protect the guest. You must enable Windows Firewall within the guest as well to ensure maximum protection.
Virtual PC Shared Folders are host local drives or folders that appear as mapped drives, and they actually are functionally equivalent to mapped drives (see Figure 4
). A guest machine used to browse the Internet should not use the Shared Folders feature or have any drives mapped. Network drives on the host cannot be shared using Shared Folders, and any type of drive mapping exposes the host filesystem to guest malware that targets mapped drives.
|Figure 4. Media Is a Virtual PC Shared Folder; c$ Is a Mapped Drive to the Host Machine|
Remember, the objective is to keep the host safe from any malware that may affect the guest, so don't connect the host's filesystem to the guest. However, at some point, you may want to use the guest's browser to download a file from the Internet and make it available to the host. The safest way to do this is to use Virtual PC's drag and drop feature to transfer files between guest and host because it does not open up a TCP/IP connection between them.
Keeping a guest machine up to date with all Windows Updates, service packs, and security patches is just as important as keeping the host machine up to date. It's easy for a guest machine to get behind on updates because it typically is turned off most of the time. It has to be running to receive updates and they must not be undone when the machine is turned off.
Finally, when you are actively using a virtual machine for malware analysis, consider setting your VHD files to read-only to keep any changes inside your virtual machine from being made permanent.