Virtual Machine (VM) on User Desktop Policy

As a general rule local Virtual Machines (VMs) are not encouraged. A VM can be complicated to make secure and, if you have one, much of the work and responsibility to look after it lies with you. However, good reasons for VMs do arise, and IT Services will try to help. Usage rules apply and are unavoidable to prevent embarrassing or costly security breaches that can be felt at a University level.

To request a VM send an email to service-desk@bristol.ac.uk. If necessary, your local IT Support team will discuss with you what you need to achieve to confirm that a VM is the best approach.

Part of establishing the case for a VM is proving that:

  • you understand your responsibilities
  • you and IT Services are confident you can securely create and maintain the VM

To get a VM, you must understand and agree to the conditions listed below.

We realise the list below is quite long, but all parts are important to avoid security breaches or possible legal action e.g. on the misuse of licences. If you feel you cannot meet all the conditions please speak to IT Services and we will try to find alternative approaches or ways to achieve what you need.

These guidelines relate solely to VMs on an individual computer, typically your desktop or laptop. If you feel you need VMs running on multiple devices then please contact IT Services via  service-desk@bristol.ac.uk

Once agreed, we will note that you are running one or more local VM in our Service Management Database (TOPdesk).

Conditions for establishing a VM

1.    You must have successfully applied for Elevated User Rights (EUR) on your desktop computer. To find out more or request EUR, please read and complete the form at bristol.ac.uk/it-services/eur/

2.    You cannot use a VM on your desktop computer to run a production/user facing service, e.g. web server, SVN server, database server, etc.  The VM must not offer any services to a device outside of its virtual network and should typically be used for development and testing work.

3.    You must maintain system security so ensure that:

  • you read Information Security Policy 11 and take note of the where you need to comply
  • the hypervisor software is patched and up to date
  • each VM’s operating system and applications are regularly patched, ideally utilising an automated process
  • only the required components and services of the operating system are installed on each VM

4.    You must ensure local accounts on a VM:

  • use the user’s standard UoB username but with a -l suffix (for Local)
  • have their own unique password that differs from any UoB password
  • have a password that is strong/complex, i.e. meets the requirements as per bristol.ac.uk/infosec/protectyou/passwords/

5.    You should not enable file sharing between the host OS and the VM OS unless this is critical to the VM’s functionality.

6.    You need to ensure a VM runs anti-malware software that either scans in real-time or, at a minimum, runs a daily scan, e.g. ClamAV, AVG.

7.    Unless requested by IT Services, you must avoid bridging between a VM and the underlying physical host’s network as this would result in your computer becoming an “untrusted device” and moved to an autonomous or quarantine network. In terms of system security a VM should only connect to its physical host (i.e. to the IP address of the physical computer) . If you need to bridge, i.e. due to running a shared service, then you should switch to using a centrally provisioned VM.

Please note:University network switches are configured to detect multiple MAC addresses on a single switch port and will disable the port if this occurs.

8.    A VM’s firewall should be enabled and configured to deny all connections except for those directly related to the research/teaching purposes that require the VM.

9.    VMs need to be hosted on the local hard disk drive and not over the network.

10.    Any data processed and/or stored on the VM must be non-identifiable, i.e. anonymised or dummy data. If personally identifiable data is to be used then the VM must be hosted centrally.

11.    There is no centralised backup of VMs. If the desktop computer’s hard disk fails there will be no recovery unless you have taken your own steps to create a backup, e.g. to a suitable filespace*, or encrypted portable storage.

12.    You must ensure all software installed on a VM has an appropriate and current licence or use agreement. This includes the operating system.

13.    IT Services may scan a VM as part of its ongoing scheduled security monitoring.

14.    Any VM suspected of being insecure or compromised may be shutdown and/or disconnected. Either the PC or the VM hosted may be stopped.  It is impossible to guarantee notification prior to a shutdown which may be immediate.

15.    Any VM you have created is done so on the basis that you feel you can be self-sufficient. Therefore, support from IT Services will be minimal and, if provided, can only ever be on a reasonable endeavours basis.

 

*MyFiles must not be used for backing-up VMs. You may need to buy separate storage but discuss with IT Services

 

 

Date of publication: 15 December 2017

Policy owner: Head of Support, IT Services