Ticket #8426 (new defect)
Opened 6 years ago
Unable to lock down VBOX COM using DCOMCNFG
|Reported by:||rbhkamal||Owned by:|
I need to install VirtualBox in an environment that permits only a special user (vboxuser) to control virtual box.
The problem is that on Windows XP, locking down VirtualBox is not working (could be a windows bug), any user can launch with VBOXSVC and then have complete control over VirtualBox (if the set VBOX_USER_HOME properly). Windows 7 works fine (UAC on and off).
Here are the steps to lock down the COM service:
1- Install virtualbox under any admin user
2- Create a new user (vboxuser), make it an admin.
3- Login to vboxuser and start DCOMCNFG as admin
4- Select Component Services --> Computers --> My Computer --> DCOM Config
5- Locate VirtualBox then right click on open Properties
6- Select Security Tab
7- Change Launch/Activation to SYSTEM and vboxuser (local launch and activation)
8- Change Access to SELF,SYSTEM and vboxuser (local access)
9- Change Configuration to SYSTEM, vboxuser (full control)
10- Click OK and make sure that virtualbox.exe can start under vboxuser
11- logoff from vboxuser and then log back in to your user.
12- Start virtual box, and it starts! That is the problem.
On Windows 7 you would get an error (Access Denied) and it would only work if I use runas /user:vboxuser virtualbox.exe.
The problem happens only on Windows XP SP3 x86 (I haven't tested any x64 versions)
I tested another COM service, and the permissions seem to work on Windows XP.
Please let me know if you have any questions
I was able to reproduce this problem using VBOX 4.0.4 and VBOX-OSE 3.2.18 (self compiled/installed)