Unable to lock down VBOX COM using DCOMCNFG

[rbhkamal]

I need to install VirtualBox in an environment that permits only a special user (vboxuser) to control virtual box.

The problem is that on Windows XP, locking down VirtualBox is not working (could be a windows bug), any user can launch with VBOXSVC and then have complete control over VirtualBox (if the set VBOX_USER_HOME properly). Windows 7 works fine (UAC on and off).


Here are the steps to lock down the COM service:
1- Install virtualbox under any admin user
2- Create a new user (vboxuser), make it an admin.
3- Login to vboxuser and start DCOMCNFG as admin
4- Select Component Services --> Computers --> My Computer --> DCOM Config
5- Locate VirtualBox then right click on open Properties
6- Select Security Tab
7- Change Launch/Activation to SYSTEM and vboxuser (local launch and activation)
8- Change Access to SELF,SYSTEM and vboxuser (local access)
9- Change Configuration to SYSTEM, vboxuser (full control)
10- Click OK and make sure that virtualbox.exe can start under vboxuser
11- logoff from vboxuser and then log back in to your user.
12- Start virtual box, and it starts! That is the problem.

On Windows 7 you would get an error (Access Denied) and it would only work if I use runas /user:vboxuser virtualbox.exe.

The problem happens only on Windows XP SP3 x86 (I haven't tested any x64 versions)

I tested another COM service, and the permissions seem to work on Windows XP.
Please let me know if you have any questions

I was able to reproduce this problem using VBOX 4.0.4 and VBOX-OSE 3.2.18 (self compiled/installed)