VMware Cloud Community
ptong
Contributor
Contributor
‎02-08-2018 10:28 AM

Domain security recognizing VM's internal drive as USB/external

Hey all, I'm not sure this is the right spot for this so please move if necessary.

I have a Win7 Pro SP1 VM that I'm trying to migrate between domains. The new domain has a lot of different security policies in place, one of which is to block users from accessing or using external drives. This policy is breaking connectivity to our second listed hard drive as if it were an external (it's confirmed that disabling the policy fixes the issue).

Config of VM drives:

HD1: 40 GB

Virtual Device Node: SCSI(0:0)

HD2: 10 GB

Virtual Device Node: SCSI(0:1)

All other settings are the same.

HD1 is the OS drive and connects without issue, while HD2 is recognized as an external and restricted from access. Does anyone have experience with how VM storage devices present themselves in terms of external vs internal? I've already tried connecting HD2 as IDE etc, no luck.

Thanks!

0 Kudos
4 Replies
ptong
Contributor
Contributor
‎02-12-2018 08:05 AM

As a side musing, it's possible that the policy recognizes both drives as "USB/External", but as the OS is running off of HD1 it isn't prevented from connecting to itself. To that end, I've attached a screenshot of the current config of an offending disk.

Anyone with any experience with virtual disk drives and domain security in general?

Preview file
19 KB
0 Kudos
daphnissov
Immortal
Immortal
‎02-12-2018 10:52 AM

That makes no sense. To get to the bottom of it, we'd need to look at this "security policy" and how the logic is written, because it sounds quite flawed to me. Is it possible it would flag any system that has more than one disk assigned to it?

------------------
How to Ask for Help on Tech Forums
https://neonmirrors.net
0 Kudos
ptong
Contributor
Contributor
‎03-22-2018 07:53 AM

Security policy was a few registry entries preventing read/write/exec on external drives, and doesn't trigger on physical boxes with multiple internal drives. Couldn't figure out why it was triggering on these systems and needed to get this done, so we just redirected the processes that used the virtual 2nd internal onto the main drive and expanded it.

I'm still in the dark and would like to know what the answer was, but my issue is resolved.

0 Kudos
bluefirestorm
Champion
Champion
‎03-22-2018 08:10 AM

It is seen as "external" or "removable" or "ejectable" because of the default hotplug behaviour. Since it is a Windows 7 VM, you probably see a bunch of "ATA controllers" as well that is "Ejectable" as well as the virtual NIC(s). So the domain policy is restricting it as it sees it as a removable disk.

Add the line

devices.hotPlug = "FALSE"

to the vmx configuration file and the SCSI disk will no longer appear as "Ejectable"

If you have virtual SATA drives, add the line

ahci.port.hotplug.enabled = "FALSE"

0 Kudos