Headless mode on Windows requires too high permissions because of COM security

[Thorsten Schöning]

I need to automatically run VMs headless WITHOUT any interactive user login after Windows booted. The started VMs should additionally run somewhat secure using a default, restricted non-admin user of Windows. This seems like exactly the setup recommended on non-Windows and am I using with Ubuntu 16.04 and phpVirtualBox currently. In theory this should easily be possible by creating a standard user in Windows and a task in the task scheduler to execute a VM headless using that user and e.g. the following command line:

VBoxManage startvm "[...]" --type headless

While that works using an interactive login on the shell, it didn't work by default using task scheduler. The reason can be found in the event viewer of Windows:

Durch die Berechtigungseinstellungen für "Anwendungsspezifisch" wird dem Benutzer "TEPU\virtual_box" (SID: S-1-5-21-3056241376-1506544733-1187908793-1167) unter der Adresse "LocalHost (unter Verwendung von LRPC)" keine Berechtigung vom Typ "Lokal Aktivierung" für die COM-Serveranwendung mit der CLSID {B1A7A4F2-47B9-4A1E-82B2-07CCD5323C3F} und der APPID {819B4D85-9CEE-493C-B6FC-64FFE759B3C9} im Anwendungscontainer "Nicht verfügbar" (SID: Nicht verfügbar) gewährt. Die Sicherheitsberechtigung kann mit dem Verwaltungstool für Komponentendienste geändert werden.

Durch die Berechtigungseinstellungen für "Computerstandard" wird dem Benutzer "TEPU\virtual_box" (SID: S-1-5-21-3056241376-1506544733-1187908793-1167) unter der Adresse "LocalHost (unter Verwendung von LRPC)" keine Berechtigung vom Typ "Lokal Aktivierung" für die COM-Serveranwendung mit der CLSID {74AB5FFE-8726-4435-AA7E-876D705BCBA5} und der APPID {EC0E78E8-FA43-43E8-AC0A-02C784C4A4FA} im Anwendungscontainer "Nicht verfügbar" (SID: Nicht verfügbar) gewährt. Die Sicherheitsberechtigung kann mit dem Verwaltungstool für Komponentendienste geändert werden.

Virtual Box installs COM servers which by default can only be started by the groups SYSTEM, ADMINISTRATOR or INTERACTIVE. My created user isn't any member of those groups when used by the task scheduler, but when logging in interactively and using the shell.

VirtualBox Application
{819B4D85-9CEE-493C-B6FC-64FFE759B3C9}

VirtualBox System Service
{EC0E78E8-FA43-43E8-AC0A-02C784C4A4FA}
VBoxSDS

The security settings to start the necessary COM servers can be changed to include my created user with the necessary permissions and afterwards VBoxManage starts successfully and the COM-related error entries in the event viewer are gone.

• ​https://ibb.co/6ysd4FZ
• ​https://ibb.co/DDsNzKW
• ​https://ibb.co/MZhwx7n
• ​https://ibb.co/ctrR7cp

As you already have an installer bringing services, device drivers etc. into the system, you could as well adjust security for those COM servers. Some other software simply creates a group for their own purposes, assigning the necessary permissions and document somewhere that users like the one created by me simply need to be a member of that group. That approach is pretty common, e.g. VMware and OpenVPN create custom groups for special maintenance as well.

I'm considering this a defect instead of an enhancement, because using users with least possible privileges is a recommended security practice and because COM isn't used on non-Windows, that approach works on other platforms. After fixing or working around this problem, VBox will be easier to use with the same concepts and good practices across more OS.

Thanks!

[Thorsten Schöning]

COM security settings 01

[Thorsten Schöning]

COM security settings 02

[Thorsten Schöning]

COM security settings 03

[Thorsten Schöning]

COM security settings 04