VDI Security - Securing VM Storage Devices

By default, new VHD files in the Public profile are stored in the %users% \Public\Documents\Hyper-V\Virtual Hard Disks directory. You can change the default storage location for VHDs by selecting Hyper-V Settings in the Hyper-V Manager. If you specify a different storage location, assign permissions as follows for the new folder:

Table: Permission Settings for VHD Storage Folder

Names

Permissions

Apply to

Administrators

System

Full Control

This folder, subfolders, and files

Creator Owner

Full Control

Subfolders and files only

Interactive

Service

Batch

Create files/write data

Create folders/append data

Delete

Delete subfolders and files

Read attributes

Read extended attributes

Read permissions

Write attributes

Write extended attributes

This folder, subfolders, and files

To simplify management, you might want to store all of the VFD and ISO files in separate folders on the same logical volume as the VHDs. For example, a typical folder structure might be:

· W:\Virtualization Resources\Virtual Machines

· W:\Virtualization Resources\Virtual Hard Disks

· W:\Virtualization Resources\Virtual Floppy Disks

· W:\Virtualization Resources\ISO files

When installing antivirus software in the management operating system, configure any real-time scanning components to exclude the directories where virtual machine files are stored, as well as the program files vmms.exe and vmwp.exe in C:\Windows\System32. If you do not create these exclusion rules, you might encounter errors when creating and starting virtual machines.

 

For detailed information refer to Hyper-V Security Guide