1. Install VMware Workstation, on a Windows 7 Pro or Ultimate Desktop. Note: This VMware image was made with VMware Workstation 9. Recommended to use VMware Workstation 9 or above.
2. Place the provided VMware image in the folder “Shared Virtual Machines” this folder is automatically created during the installation of VMware Workstation.
STEP TWO
1. Navigate to “Start Menu” and type Regedit. Right click and choose “Run as administrator.”
2. To disable writing access to USB drives and make all USB drives have read-only access, follow these steps:
a. Run Registry Editor (regedit).
b. Navigate to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
c. Create a New Key named as “StorageDevicePolicies.”
d. Highlight StorageDevicePolicies, and then create a New DWORD (32-bit) Value named as WriteProtect.
d. Double click on WriteProtect, and set its value data to 1.
See screen shot below.
3. Navigate to the following registry key. “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\USBSTOR.”
a. Edit registry key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\USBSTOR” > START . Highlight START, right-click select "Modify" turn number 3 into 4, select OK.
*now the host machine will not recognize Mass Storage Devices.
b. Now highlight and right-click on "USBSTOR" Click on "Permissions."
c. Highlight "SYSTEM" select "DENY" click "Apply then OK" exit regedit.
STEP THREE
Windows Shell Extension VMware Boot
Working in Windows 7 Ultimate using a local policy that only applies to my user account. The policy tells Windows to use VM View as my shell instead of Explorer (so there's no start menu, just a wallpaper). This way VM View is instantly launched upon (automatic) user log in.
1. Setting up your user account to log in automatically
a. Log in as administrator.
b. Open the start menu, and type in the search box: netplwiz
c. Uncheck Users must enter a user name and password to use this computer and hit Apply.
d. A window will pop up asking for the user name and password of the
user account which should log in automatically. Supply all the
information and hit OK.
e. Next time you restart, the account selected in step 1 will log on
automatically. Now you can setup this account to use VM View as shell
instead of Explorer:
2. Set VM View as shell for a specific user account
a. Log in as administrator.
b. Open the start menu, and type in the search box: mmc
c. Choose File > Add/Remove Snap-in....
d. Select Group Policy Object Editor and hit Add.
e. In the wizard that pops up, hit Browse..., go to tab Users, select your user account (the one that you set up to log on automatically in step 1) and hit OK.
f. Make sure that the checkbox in the wizard is Unchecked, and hit Finish.
g. Hit OK in the Add/Remove Snap-ins window.
h. In the User Configuration > Administrative Templates > System folder, open Custom User Interface.
Select Enabled and enter the full path (including VM.vmx file and any switches that you may use) in the Interface file name textbox. Mine looks like this: vmware -X “C:\Users\ADMIN\Documents\Shared Virtual Machines\Windows_7.vmx”
Make sure VMware is in your PATH. See “Environment Variables.”
j. Hit OK and reboot your system. It should now log in and start VM View automatically without showing the start menu and icons.
STEP FOUR
Now the host is configured and the VMware image is in it’s proper location (c:\Users\your username\Documents\Shared Virtual Machines). Start the host computer, and wait for the host system to boot into the VMware image, it will take a minute or two.
*When the VMware image boots for the first time, there is a possibility of receiving two pop ups:
1. “This virtual machine appears to be in use"
Select “Take Ownership”
2. You will encounter a Message Box asking if you have "Copied it" or “Moved it"
It is critical to select "Moved it!!!"
STEP FIVE
Now the VMware image should start. The following configuration of the running Virtual Machine are required.
1.Once VM is running go to the top Tool bar and select "VM." The drop down menu select "Install VMware Tools" Restart. (see screen shot)
In some cases the options may be to “Re install VMware Tools”
2. Take a snapshot of the VM.
3. VM > Settings > Options > Snapshots choose “Revert to snapshot”
STEP SIX
To conduct maintenance on the host system press Ctrl + Alt + Del > Start Task Manager > File > Create New Task type in “explorer.exe” > OK
*This will start Windows Explorer process and make the main OS available.
If the above directions are followed you should now have a functional system to safely scan USB devices. By using ‘snapshots’ for the VM to revert to, we ensure that the VM will revert to a “Clean” state every time it is powered on. Even if the VM becomes infected during a scan, forensic tests have proven that the system is NOT infected following a restart / revert.
Also by isolating security between VM and host We greatly minimize the cross-contamination between VM and host machine. All interaction between USB’s and the VM are done via a VMware Virtual Mass Storage Device Driver. Even when the host is configured to not recognize USB’s the VMware Virtual Mass Storage Device driver, will identify the device inserted into the host’s USB port and connect it to the Virtual Machine.
No comments:
Post a Comment