VM template issue: OOBE does not provide a true out-of-the-box-experience
Created: 2023-01-26
TL;DR: We have identified a low severity security risk regarding the creation of VM templates. We are working with the local Support Team members to mitigate this risk.Introduction
One of the features in the myDRE portal is the ability to create a VM template. Different organisations provide their users with their own organisation-specific Virtual Machine (VM) template(s). On our Knowledge Base, we have previously published instructions for the users and local Support Team members on how to generalise the VM after installing software and create a template out of it.
One of the steps is to run sysprep and select OOBE, which stands for Out-Of-the-Box-Experience. Based on Microsoft documentation it was to be expected that OOBE would remove any user groups associated with the VM. However, it has come to our attention that the user group of the Workspace that created the template is not removed while creating a template. In this sense, OOBE does not provide a true Out-Of-the-Box-Experience and introduces a security risk.
Security risk (Low)
Users usually only create templates for their own Workspace, so it does not affect them. However, local Support Teams could create organisation-specific templates which are then displayed in a shared image gallery. Once it is in the shared image gallery, the template could be selected and deployed in Workspaces belonging to their own organisation via the VM creation menu. As described above, OOBE does not provide an Out-Of-the-Box-Experience as the user group of the Workspace that created the template is not removed while creating a template. This means that someone who is a member of the Workspace that created the template could gain access to the VMs in Workspaces where the template has been deployed. This poses a security risk, however we have categorised the severity on Low. This is because of the following:
- The templates were created in the tenant's own test/demo Workspaces with limited and controlled amount of support users belonging to the tenant.
- To be able to access the VMs based on the template in other Workspaces, you would need to know that these exist.
- They would need to have access to your Workspace.
Even though the severity is Low, we feel the responsibility of communicating this, and we are implementing mitigating measures as we speak.
Mitigations
We have identified the user groups and the associated test/demo Workspaces where the templates were created and we are working with the local Support Team members to clean up these Workspaces. Deletion of the specific user groups will remove them from the affected VMs and they will no longer have potential access. In addition, we are looking into a better and secure way on how to generalise VMs and create organisation-wide templates in a more automated way.
Related Articles
Generalize a VM
Use this process only if you want to create a template for your own Workspace. If you want to create a template for the whole organisation, please contact your local ST member. Introduction Installing the same software on your VM can be tedious and ...Managing and monitoring your VM
From within the myDRE web portal, you can find a Manage and monitor VM menu that provides links directly to your VM in the Azure portal and Azure app. Within the Azure portal or app, you can start, stop and reset the VM, as well as analyze its ...[Available now] Windows-OSDS/1.0.0 Open Source Data Science VM template
Installing software can be quite a hassle, especially if you have to do it over and over again. The feature to create an image of a VM where you have installed your software could provide a nice outcome. To learn more about how you can create your ...RUMC-Base 1.0.0
Important! This image may only be deployed in Radboudumc workspaces. It is not permitted to deploy the template in a workspace of a different tenant. Thanks for understanding. Due to a bug in the current template, the C:-drive appears to be much ...No Admin permissions in VM
Introduction Accountable, Privileged and Advanced Members have 'Admin' permissions within a VM. These roles have administrator permission within a VM that allows them to install software and run software as administrator. In rare cases however, VMs ...