Monday, December 20, 2010

Virtual Server 2005 R2 minimum host user permissions

This page on MSDN lists the following permissions required for a user to run a virtual machine:

  • On the .vmc file: Read Data, Write Data and Execute File
  • On the .vhd file: Read Data, Read Attributes, Read Extended Attributes, and Write Data
  • On the .vnc file if a virtual machine is connected to a virtual network: Execute File, Read Data, Read Attributes and Read Permissions
  • On the folder containing the .vmc file, for a virtual machine to have the ability to save state: List Folder and Write/Create File

Unfortunately, this list is not complete. They also need:
  • On the .vmc file: Read Permissions

The error you may see when you attempt to start a VM configured according to the MSDN page is:

The following error occurred:
The virtual machine could not be started. The virtual machine could not be started. Access was denied.

Using these permissions, you can create a local user who belongs to no groups and only has the permissions provided above - security through least privilege.


Post a Comment