Index: /trunk/doc/manual/en_US/user_Security.xml =================================================================== --- /trunk/doc/manual/en_US/user_Security.xml (revision 35290) +++ /trunk/doc/manual/en_US/user_Security.xml (revision 35290) @@ -0,0 +1,91 @@ + + + + Security considerations + + + Potentially insecure operations + + The following features of VirtualBox can present security + problems: + + Enabling 3D graphics via the Guest Additions exposes the host + to additional security risks; see . + + + + When teleporting a machine, the data stream through which the + machine's memory contents are transferred from one host to another + is not encrypted. A third party with access to the network through + which the data is transferred could therefore intercept that + data. + + + + When using the VirtualBox web service to control a VirtualBox + host remotely, connections to the web service (through which the API + calls are transferred via SOAP XML) are not encrypted, but use plain + HTTP. For details about the web service, please see . + + + + + + Authentication + + The following components of VirtualBox can use passwords for + authentication: + + When using the VirtualBox extension pack provided by Oracle + for VRDP remote desktop support, you can optionally use various + methods to configure RDP authentication. See for details. + + + + When using teleporting, passwords can optionally be used to + protect a machine waiting to be teleported from unauthorized access. + Note however that these passwords are stored unencrypted in the machine configuration XML + and therefore potentially readable on the host. See and . + + + + When using remote iSCSI storage and the storage server is + requires authentication, a password can optionally be supplied with + the VBoxManage storageattach + command. Note however that this is stored unencrypted in the machine configuration and + is therefore potentially readable on the host. See and . + + + + When using the VirtualBox web service to control a VirtualBox + host remotely, connections to the web service are authenticated in + various ways. This is described in detail in the VirtualBox Software + Development Kit (SDK) reference; please see . + + + + + + Encryption + + The following components of VirtualBox use encryption to protect + sensitive data: + + When using the VirtualBox extension pack provided by Oracle + for VRDP remote desktop support, RDP data can optionally be + encrypted. See for details. + + + +