Security of Parallels?

(seems to be answered) about security of parallels

I had sent this to parallels support, but after a couple of back and forths, their support engineer cannot or will not understand what I am talking about. Posting here to get other comments, perhaps I am just being unclear. See security question marked with double stars **.

--
Every time I update Parallels ( and I do test the betas.. ) I have to hit Custom install on parallels tools to UN SELECT items I do not like, and never want to be asked about:

- shared profile
- shared internet apps
- shared home dir..

I understand that some folks want convergence of their environment. That`s fine. But, I don`t want Windows to ever be able to access more than I give it permission to do.

I must have missed a checkbox, because I was very unhappy to see my home drive mounted under windows.

Please, give me a checkbox somewhere that will NOT ever ask again for access to anything outside of the shared folders I have given to Windows. Security was set to Medium-High.

If Shared Profiles were turned on in parallels tools, would it override the checkbox that says that the Home dir was not selected? I`m concerned that the Windows side is able to override.. ** could a malicious program on Win cause access to Home to happen by patching parallels tools?

..I have been a pre-order user since before the Mac version was final.
---
I had filed a comment (via the problem reporter) on the UI of the Parallels tools before and had not heard back.

 

Check your set-up. There should be something about allowing sharing inside the configuration window that is still checked.

Thousandth post...

 

Eru, Congrats on the 1,000th post
I allow sharing, yes- of a specific directory. But I did not allow sharing the home directory. it seems that checking "shared profile" inside the parallels tools setup - which is inside of windows, and is on by default even if it was not installed in previous installations - added sharing of the home directory to the setup.

My question, which the parallels support person did not answer, is whether Win32 code is allowed to modify what is shared without seeking permission from the mac side.

Here is the scenario.
I have one shared directory between mac and windows. I do not have home directory shared.
Let's assume my windows setup gets entirely 0wned, pardon me, remotely controlled by malicious persons.
What if said malicious persons, via VNC, instruct the Windows vm to re-install parallels tools (say by copying the install image onto it), and check the "Shared Profiles" checkbox. Would said persons be able then to access my Mac hard drive from within Win32?

That is the security question I am asking.

What I really dislike, from a security point of view, is deciding what features should be allowed from within Win32. I want the policy to be controlled from the Mac. As far as I can tell, there is not a way to tell it on the Mac side to allow some shared folders, but not to allow sharing of others.

I will do some more experimentation with this. Also, I have always had good responses from Parallels support up until now, and so that part is frustrating.

 

I think I got it. Sorry, I was being a bit dense there, I am straightning up the last piece of low-stability on a server deployment and dealing with crappy M$-based software and my brain is fried.

My understanding, which isn't the greatest when it comes to shared folders, is that the OS X side says aye or nay to Windows access to the filesystem. If it is an aye, the Windows gets access. So, yes the security is compromised. It is a scary thing. As you say, it should be controlled by the OS X side what the Windows side has access to. Perhaps it is though, and I have a bad understanding of the issue and you have a config setting wrong.

One of the things I love about using VMs in an office environment (be it at a server-level, workstation, or both), it is very easy to trash them and roll-back. If the data is properly centralized with good anti-virus software passing over the centrallized info, the VMs can be zapped, monthly, or even weekly, providing the best possible preformance, viruses being routinely vanquished, all transparent to the user.

I think we've got something for the Wish List here...

 

I don't know that you were dense. Maybe I didn't explain it well.

Parallels support replied again, and said, 'have you tried setting security to 'High''. Again, it is not really an answer to my question.

The basic question is: does the Mac side, or the Win (guest) side determine which folders are shared? Could the Windows side gain access to folders that I did not originally share with it?

Is anyone else concerned about this? The reason I run Windows in a locked down box is because I don't trust it. That's why I only share with it a 'neutral zone' that is a specific shared folder. I don't want spyware or malware or who-knows-whatware to gain access to the Mac.

 

The Mac side (or host) has complete control over what the Windows side (or guest) is allowed to see. From my understanding, shared folders are a lot like file sharing over a network, and you must setup the folder to be shared before it will be possible to access it. The guest OS can only request files from the folders that the host has permitted it to see. It cannot gain access to a folder that is not already been configured to be shared.

 

Bkirch,
so unless there is an explicit permission to allow access to a folder it is denied?

 

trial, no error (unless it is mine)

OK,
For Scientific Inquiry, I re-installed parallels tools (winxp, 5160). Checked all the options, including shared profile. 'Home' was listed on the shared folders (in the mac menu - thanks to a previous install) but not checked.

After install of tools, It did NOT share the home directory.

I tried opening a Mac file with 'Notepad.exe' (via shared apps) and it said:

So far, so good.

I should try removing 'home' from the list of shared folders, and see if it would re-add it.

 

(mac) Home can't be removed. So, my concern may be unfounded. I am pretty sure home was not shared before, and that it showed up after a Parallels upgrade and a re-install of parallels tools.

I wish parallels could have given me an answer instead of trying to "solve my problem".

 

Correct, Parallels Tools by itself cannot add a shared folder.

They probably thought that you simply wanted to prevent Windows from seeing OS X files. In that case, they were correct, all you have to do is set your security setting to "High". Shared folders cannot be reenabled from within Windows so you don't need to worry about that.

 

I thought I was pretty clear. But, if that's the case, then my question is answered.

I am forwarding this thread to the support engineer.

 

It looks like the security issue was founded in our heads.