VMware

VMware ACE 2.0 Release Notes

Features | Documentation | Knowledge Base | ACE Community

Release Date: August 28, 2008
Build Number: 109488

Assured computing environment (ACE) allows security administrators to protect critical company resources against the risks that unmanaged computers present. This document contains the details of VMware Workstation ACE Edition and ACE Management Server.
This Release Notes covers the following topics:

What's New in ACE 2.0.x

This section lists all maintenance releases of VMware ACE.

What's New in ACE 2.0.3

This release includes modifications to the user interface, including the following:

Power-off Script

You can now configure access control policies to include a power-off script. You can use the power-off script to reset any changes made to the host from a power-on script, reset authentication settings, or other procedures you want to perform as the instance powers off.

Perform the following steps to include a power-on/off script in the ACE master’s packages:

  1. Create the script and save it in the ACE Resources folder.
  2. On the access control policy page, click the Power-on/off scripts button. The Power-on/off scripts dialog box appears.
  3. If the deployment platform setting in package settings is set to Both Windows and Linux, then the Choose Power-on/off scripts dialog box contains text fields for both Windows and Linux script specifications.
  4. Select Use power-off script to set a power-off script.
  5. Click Set to open the Set Custom Script dialog box. Refer to the ACE Administrator's Manual for details on setting custom scripts.
    If you are enabling a power-on/off script after you have already deployed packages with this ACE master, provide the script to the user using a policy/server update package or a custom package with ACE Resources.

Windows Login

With this release, the package settings include a Microsoft Windows login feature. The ACE administrator must enter the guest operating system's user name and password to perform instance customization.

Open the Package settings dialog box, enable instance customization, and select Windows Login.
Enter the guest operating system's Windows login information. On managed systems, enter a user name and password. On unmanaged systems, enter only a user name.

The user name you enter must have permissions to copy files into the guest operating system and to run the Microsoft sysprep deployment tools. For managed ACE masters, the user name and password are stored in the ACE Management Server. For unmanaged ACE masters, the user name is stored in the ACE master policy file. For security reasons, the password is not stored.

MAC Address Pools

You can add a MAC address pool to the database of an ACE master. Note, however, that this feature might not work when the ACE Management Server uses an Oracle Database 10g.

For more information on how to add a MAC address pool, refer to the technical note named Creating a MAC Address Pool.

What's New in ACE 2.0.1

Updated Support for Host and Guest Operating Systems

Refer to the Workstation 6.0 Release Notes for a complete list of supported operating systems.

This release also includes the following features:

  • Enhancements for Japanese Product Versions
    For more information, see the Japanese release notes.
    Note: Technical Support services for VMware Workstation are currently delivered in English. Japanese-speaking support engineers are available in a limited capacity during the operating hours of the local support center. For more information, see VMware local language support.
  • Active Directory Multi-Domain
    ACE Management Server supports domain forests and other distributed domain topologies.
  • Bulk Deployment of VMware Pocket ACE Packages
    Workstation ACE Edition has the ability to run multiple deployments from the same package at the same time using a CLI feature. Refer to the VMware ACE Administrator’s Manual for more information.
  • Dynamic Package Lifetime Configuration
    You can change the package lifetime settings on managed packages. Settings can be changed before or after package creation.
  • Saved Queries in the ACE Management Server Search Interface
    Search query parameters can be saved in the ACE Management Server instance view.
  • Clone a Virtual Machine From an ACE Instance
    You can convert an ACE instance into a virtual machine for troubleshooting or repairing.
  • Player Control
    You can control which virtual machines and ACE instances can be run on a host where you have configured an ACE instance.

What's New in ACE 2.0

Some terminology for ACE 2.0:

Workstation ACE Edition – The software used by the ACE administrator to create virtual machines and package them for distribution to ACE end users.
ACE master – A virtual machine template created by the ACE administrator. An ACE master can be configured with various policies and devices and package settings and then used as the basis for creating any number of packages to be sent to ACE users.
ACE instance – The virtual machine that ACE administrators create, associate to virtual rights management (VRM) policies, and then package for deployment to end users. In short form, an ACE instance is an ACE.

  • ACE Management Server — The ACE Management Server enables you to manage ACE instances, to dynamically publish policy changes for those instances, and to test and install packages more easily. It adds new integration with your Active Directory setups and provides Active Directory/LDAP integration. The SQLite database is embedded in the ACE Management Server, and you can use an external Microsoft SQL Server database or an external Oracle Database 10g database with a Windows server and an external PostgreSQL database with a Linux server. Roles-based secure SSL communications between ACE Management Server and client is also a feature.
  • ACE Management Server Appliance — The ACE Management Server Appliance is a self-contained, pre-installed, pre-configured ACE Management Server that is packaged with a small operating system in a virtual machine. Using this appliance is the fastest way to get an ACE Management Server running in your environment.
  • Instance View — Instance View enables an administrator to view and control all managed ACE instances. An advanced search function enables you to locate instances in the database quickly. You can also customize the Instance View by adding searchable custom fields.
  • Help Desk — Help Desk is a Web application for use with ACE instances that are managed through an ACE Management Server. Administrators and help desk assistants can use the Help Desk to fix common user issues such as lost passwords and expired instances.
  • Pocket ACE — Pocket ACE enables an administrator to bundle and install an ACE onto a USB portable media device, including USB flash drives, Apple iPod mobile digital devices, and portable hard drives. It runs directly from the USB portable media device and can be run with the VMware Player that is bundled with the software.
  • Virtual Printer — VMware ACE includes a virtual printer that enables users to print to any printer available to the host computer from applications inside a virtual machine without installing additional drivers in the virtual machine.
  • Network Access — These policies give you fine-grained and flexible control over the network access you provide to users of your ACE instances. Using a packet filtering firewall, the network access feature of ACE 2 lets you specify exactly which machines or subnets an ACE instance or its host system might access.
  • USB Device Policy — This policy provides enhanced control of USB devices.
  • Instance Customization (Automated sysprep) — The instance customization feature automates Microsoft Sysprep deployment tools actions and streamlines the process of customizing instances after they have been installed on the user machines.
  • Remote Domain Join — The remote domain join feature enables you to automate the join of a remote ACE instance through your own VPN client/server setup to the domain that you specify.
  • Updated Policy and Package Settings — Enhancements to the policies and package settings you can apply and the ways in which you can update policies make it easier for you to secure and manage your ACE deployments. All policies are dynamic. Updated policies and package settings include:
    • Snapshots policy, for allowing users to take or revert to both user snapshots and reimage snapshots.
    • Enhanced copy protection policy for managed instances.
    • Administrator mode, which enables you to configure virtual machine settings directly on the users’ machines (for ACE instances running in VMware Player on Windows systems) and to use the vmware-acetool command-line program with standalone ACE instances to fix some common issues such as lost or forgotten passwords.
    • Runtime preferences policy, which enables you to configure settings that your end users can access when running ACE instances.
    • Hot fix policy, which enables you to activate the hot fix feature for standalone ACE instances, allowing an administrator to respond to hot fix requests from users to fix such common issues as lost or forgotten passwords.
    • Resource signing policy, which enables you to specify that ACE Resource files be protected from all tampering.
    • Custom EULA package setting, which enables you to provide a custom EULA (end-user license agreement) that appears when an ACE instance is activated.
  • Linux Systems Available as Host Systems for ACE User Machines
  • Troubleshooting tools — The vmware-acetool command-line program and the hot fix feature are available for use by administrators to fix users’ common issues on standalone ACE instances, such as expired ACE instances, copy-protection violations, and password resets. The Help Desk Web application and the Instance View can be used to fix those same issues for managed instances.
  • ACE Master Wizard and Clone ACE Master Wizard — The ACE Master Wizard provides custom settings that allow you to fine-tune settings for your ACE masters. The Clone ACE Master Wizard enables you to create an ACE master quickly from an existing ACE master.
  • Enhancements to Preview Mode — Preview mode enables you to run the ACE instance as it will run on the end user’s machine as well as see the effects of changed policies as they will appear on the ACE user’s machine without your having to package and install them.
  • ACE Integration with Workstation — Workstation, when licensed with the ACE option pack, can now be used to create and manage ACE virtual machines.

Before You Begin

Read the following before you install and configure this software:

  • The VMware ACE 1.x to VMware ACE 2.x upgrade is a manual process. Follow the instructions in the VMware ACE Administrator's Manual very carefully.
  • Register your serial number to obtain access to technical support.
    If you have purchased VMware ACE, you must register your serial number before you can access technical support. Evaluation serial numbers are pre-registered. You do not have to register evaluation serial numbers to access technical support.
  • VMware Workstation ACE Edition cannot be installed on a computer with any versions of VMware Workstation, VMware Player, VMware GSX Server, VMware Server, or VMware ACE software. Follow the same guidelines for installing the VMware Player application on end users' computers.
  • Install the latest version of VMware Tools. Be sure to install the version of VMware Tools included in this release (select Install VMware Tools from virtual machine) in your ACE masters.
  • Workstation ACE Edition and an ACE Management Server that is integrated with Active Directory must be on the same domain. Ensure that your Workstation ACE Edition program and the ACE Management Server are on the same domain. If they are not, then users cannot be authenticated and thus cannot run ACE instances.
  • ODBC driver 2.2.10 is the supported driver if you are running ACE Management Server on a SLES9 operating system with an external database. (KB 1000205)

Known Issues

The following section contains the known issues in ACE 2.0.x releases:

Workstation ACE Edition

  • If you are upgrading to the ACE 2.0.1 main release from the beta release, virtual printer does not work properly unless you uninstall VMware Tools and then install ACE 2.0.1 Tools from the current release.
  • Instance Customization on Windows Vista fails for non-managed ACE masters when domain join is enabled and the guest login user is not an administrator.
    Workaround:
    Use the administrator account for guest login. Any other local administrator account does not work.

ACE Instances — General

  • DHCP traffic to and from the host system cannot be blocked with a host network access filter for an ACE instance running on a Linux host system. (KB 1000193)
  • Some USB devices might not work well with Linux 2.4.x kernel host systems. (KB 1000194)
  • To use the Virtual Printer feature, you must use a supported host/guest combination.
    • Supported host operating systems:
      All 32-bit Windows operating systems from Windows 2000 Professional and newer
      All 64-bit Windows operating systems for users logged in with administrative privileges
      Linux host operating systems are not supported in this release.
      On Vista 64-bit operating systems, virtual printer works only when printers are local.
    • Supported guest operating systems:
      All 32-bit Windows operating systems from Windows 2000 Professional and newer
      All 64-bit Windows operating systems
      32-bit Red Hat Enterprise Linux 4 (PostScript printers only)
  • A managed ACE instance using Active Directory or user password authentication cannot be powered on, after the recovery key has been enabled dynamically on the server.
    If active directory authentication is used and the ACE instance is powered on, you are requested to set up a user password. An application failure occurs.
    If user password authentication is used and the ACE instance is powered on, you are requested to set up the user password again and it fails.
    Workaround:
    Disable the recovery key and publish the policies. After the recovery key is disabled, the user can power on the ACE instance again.
  • A managed ACE instance using Active Directory or user password authentication cannot be cloned to a virtual machine after the recovery key has been enabled dynamically on the server. Workaround: For an ACE instance that is using user password authentication, first disable the user password and then clone the ACE instance to a virtual machine. There is no workaround if the ACE instance is using Active Directory.
  • Blocking the use of a removable device while the ACE instance is running might not take effect until the ACE instance is powered off and powered on again. This only happens for Linux guest operating systems if the user chooses not to override the device lock in the message that appears on the host.

ACE Instances — Pocket ACE

  • There are Pocket ACE performance issues (KB 1000197).
  • You receive an error while running a Pocket ACE on a Vista host that does not have VMware Player installed. When you install an ACE package as an administrator, Player is installed. However, when you install an ACE package as a non-administrator, you have to have Player already installed for it to work properly.

ACE Management Server

  • ACE Management Server must be reconfigured when you upgrade from ACE 2.0 to 2.0.1 if you are using LDAP.
  • ACE 2 Management Server is most efficient when configured with the fully qualified name. If it is configured with an IP address or host name, it resolves the name each time and is less efficient.
  • You might encounter issues configuring a Linux ACE Management Server to use LDAP. Workaround: Make sure that the time on the system with ACE Management Server installed and the time on the system that is running the Active Directory match. A time lag between the two systems can cause this issue. Verify your DNS settings on your active directory and make sure that the "same as parent folder" and the domain controller have the correct IP addresses.
  • You are unable to authenticate to your LDAP server after configuring your ACE Management Server appliance. Workaround: Restart the ACE Management Server.
  • IP addresses in Instance View and Help Desk are sorted alphabetically, not numerically. (KB 1000166)
  • You might find issues with Server Configuration or Help Desk Web applications. (KB 1000198)
  • Load balancing two or more ACE Management Servers with chain.crt certificates fails to authenticate them properly. Use the same certificate for multiple ACE Management Servers. (KB 1000207)
  • If you configure a static IP address on the ACE Management Server appliance you must reboot for the hostname to be applied.
  • If you upgrade ACE Management Server and it was installed in a non-default directory, be sure to choose the same directory during the upgrade to ensure that your previous settings are used.
  • Upgrading from SLES93 AMS20 to SLES93 AMS201 results in a blank and non-responsive login user interface. Workaround: Set the IP address to 127.0.0.1 if using localhost. If this does not work, restart Apache Server.
  • When you use ACE Management Server on a Windows 2000 system with Active Directory, SSL must enabled on the domain controller for LDAP authentication to work correctly.
  • Connecting from ACE Management Server on a RHEL4 host to an Active Directory/LDAP server fails if the Canna server fails to start.
  • You are unable to change the password of a user if the user is not in the primary domain.
  • A first-time restart of ACE Management Server might fail to load the user interface.
  • Uploading a *.crt file from one ACE Management Server to another ACE Management Server without the corresponding *.key file causes HTTPD to fail.
  • You are unable to add users from a child domain when a managed ACE instance is configured with Windows 2000 ACE Management Server.

Known Issues on Japanese Systems

Workstation ACE Edition

  • The Virtual Printer feature is not localized in Japanese.
  • ACE does not support Virtual Printer on a Japanese guest operating system in the current release.
  • On Japanese systems, if you use instance customization and set the local administrator user name to a name that contains a Japanese 5c character (the backslash character in ASCII and the Yen character in some Japanese character sets), instance customization fails.

ACE Management Server

  • Your server name must be either the machine name in English or the IP address. Some international characters are not supported.
  • During installation, some text strings might appear only in English.
  • Since the ACE Management Server utilizes Apache as the Web server, installing to a path with two-byte Japanese characters might cause the Apache installation to fail register the Apache service. So ACE Management Server might not work. To prevent this from happening, only use English letters in the ACE Management Server's installation path. The Apache service monitor might not work as expected for hosts with Japanese names. Symptoms seen are the service status not showing up at all, and inability to stop or start the service from the monitor. The workaround is to restart the service using either the Windows service console or the ACE Management Server configuration Web page.
  • The Data Source Name (DSN) does not support Japanese characters.
  • Unable to authenticate with Japanese Windows 2000 Server using ACE Management Server with LDAP over SSL.
    Workaround:
    Change the value in the acesc.config by performing the following steps:
    1. Stop the Apache service from the Apache service monitor.
    2. Open the acesc.conf file located at C:\Program Files\VMware\VMware ACE Management Server\conf
    3. Search <secure>1</secure> in <ldap></ldap> section and modify the value from 1 to 0.
    4. Save the acesc.conf file.
    5. Restart the Apache service.
    When you use this workaround, you cannot change the user password from an ACE instance.

Resolved Issues

This section provides the details of the resolved bugs and security fixes in all maintenance releases of ACE 2.0.x.

Fixed in 2.0.5 | Fixed in 2.0.4 | Fixed in 2.0.3 | Fixed in 2.0.2 | Fixed in 2.0.1

VMware ACE 2.0.5

ACE 2.0.5 addresses the following security issues:

  • Setting ActiveX killbit
    Starting from this release, VMware has set the killbit on its ActiveX controls. Setting the killbit ensures that ActiveX controls cannot run in Internet Explorer (IE), and avoids security issues involving ActiveX controls in IE. See the KB article 240797 from Microsoft and the related references on this topic.
    Security vulnerabilities have been reported for ActiveX controls provided by VMware when run in IE. Under specific circumstances, exploitation of these ActiveX controls might result in denial-of-service or allow running of arbitrary code when the user browses a malicious Web site or opens a malicious file in IE browser. An attempt to run unsafe ActiveX controls in IE might result in pop-up windows warning the user.
    Note: IE can be configured to run unsafe ActiveX controls without prompting. VMware recommends that you retain the default settings in IE, which prompts when unsafe actions are requested.
    Earlier, VMware had issued knowledge base articles, KB 5965318 and KB 9078920 on security issues with ActiveX controls.
    To avoid malicious scripts that exploit ActiveX controls, do not enable unsafe ActiveX objects in your browser settings. As a best practice, do not browse untrusted Web sites as an administrator and do not click OK or Yes if prompted by IE to allow certain actions.
    The Common Vulnerabilities and Exposures has assigned the names CVE-2008-3691, CVE-2008-3692, CVE-2008-3693, CVE-2008-3694, CVE-2008-3695, CVE-2007-5438, and CVE-2008-3696 to the security issues with VMware ActiveX controls.
  • Update to FreeType
    FreeType 2.3.6 resolves an integer overflow vulnerability and other vulnerabilities that can allow malicious users to run arbitrary code or might cause a denial-of-service after reading a maliciously crafted file. This release updates FreeType to its latest version 2.3.7.
    The Common Vulnerabilities and Exposures has assigned the names CVE-2008-1806, CVE-2008-1807, and CVE-2008-1808 to the issues resolved in FreeType 2.3.6.
  • Update to Cairo
    Cairo 1.4.12 resolves an integer overflow vulnerability that can allow malicious users to run arbitrary code or might cause a denial-of-service after reading a maliciously crafted PNG file. This release updates Cairo to its latest version 1.4.14. The Common Vulnerabilities and Exposures has assigned the name CVE-2007-5503 to the issue resolved in Cairo 1.4.12.

VMware ACE 2.0.4

ACE 2.0.4 resolves the following issues:

  • In ACE Management Server event logging, some authentication events do not log user credential information.
  • Zone-based network quarantine rules sometimes do not work correctly when the user logs in to a new network. Occasionally the host's DNS suffix overrides the actual network domain name, retaining TCP/IP settings for nonexistent adapters. With this release, you can now set the configuration option enableDhcpDomain to true in the virtual machine's .vmx file if you want to make a DHCP request for domain detection.

Security Fixes

  • On Windows hosts, if VMCI is enabled, a guest can run arbitrary code in the context of the vmx process on the host. This is a compiler-dependent vulnerability. The Common Vulnerabilities and Exposures assigned the CVE number CVE-2008-2099 to this issue.
  • A security vulnerability related to the host-guest file system (HGFS) might cause a buffer overflow. The Common Vulnerabilities and Exposures assigned the CVE number CVE-2008-2098 to this issue.

VMware ACE 2.0.3

ACE 2.0.3 addresses the following security issues:

  • On Windows hosts, if you have configured and enabled a shared folder, it is possible for an attacker to write arbitrary content from a guest system to arbitrary locations on the host system (CORE-2007-0930).
  • This release updates the libpng library version to 1.2.22 to remove various security vulnerabilities.
  • This release updates the OpenSSL library to address various vulnerabilities to denial-of-service attacks and buffer overflows. The Common Vulnerabilities and Exposures assigned the following names to these issues: CVE-2006-2940, CVE-2006-2937, and CVE-2006-4343.

VMware ACE 2.0.2

ACE 2.0.2 resolves the following issues:

Workstation ACE Edition

  • Hosts with AMD Duron processors might not be able to power on virtual machines. This issue resulted because Duron processors that are based on Athlon do not have Intel SSE (Streaming SIMD Extensions).
  • Ubuntu 7.04 virtual machines sometimes power off unexpectedly if paravirtual kernel support is enabled.

ACE Instances
When the host machine is suspended (stand by or hibernate), authentication is not required to gain access to a virtual machine.

ACE Management Server

  • ACE Management Server leaks private virtual memory. KB 1000206)
  • ACE Management Server ignores the options <conf_file></conf_file> in the <krb5> section of the ACE Management Server configuration file.

VMware ACE 2.0.1

ACE 2.0.1 resolves the following issues:

Workstation ACE Edition

  • The tools service takes a long time to start on a guest with the Virtual Printer policy enabled.
  • Activation keys can only be used once.
  • The Pocket ACE Deploy Utility does not detect some high-capacity USB hard drives when running on the Microsoft Vista operating system. KB 1000165)
  • Activation limits are not working for groups KB 1000204)

ACE Instances
The ace_upgrade.exe application fails with certain characters in the folder name: -s, -q, -v, -?, -a, -c, or -l. KB 1000203)

Pocket ACE

  • The Pocket ACE performance test creates inconsistent results. KB 1000208)
  • The host-guest script and power-on script do not run on Pocket ACEs.
  • If you see the USB device that you are using for a Pocket ACE instance listed on the device toolbar or menu, do not attempt to connect it to the instance. KB 1000195)
  • Pocket ACE fails at startup.
  • Devices using image (ISO) files do not work with Pocket ACE.
  • Do not unplug a Pocket ACE while the Pocket ACE is running. KB 1000196)

ACE Management Server
In Mozilla Firefox, the Help Desk application might not sort ACE instances correctly.

Active Directory — The ACE Server Configuration Web application does not support secure remote connections. KB 1000191)

Security Fixes

  • This release fixes several security vulnerabilities in the VMware DHCP server that might enable a malicious user to gain system-level privileges.
    The Common Vulnerabilities and Exposures assigned the following names to these issues: CVE-2007-061, CVE-2007-062, and CVE-2007-063.
    Thanks to Neel Mehta and Ryan Smith of the IBM Internet Security Systems X-Force for discovering and researching these vulnerabilities.
  • This release fixes a security vulnerability that might allow a malicious remote user to exploit the library file vielib.dll to overwrite files in a system.
    The Common Vulnerabilities and Exposures assigned the following names to this issue: CVE-2007-4155.
    Thanks to the Goodfellas Security Research Team for discovering and researching these vulnerabilities.
  • This release fixes a security vulnerability that might allow a guest operating system user with administrative privileges to cause memory corruption in a host process, and thus potentially run arbitrary code on the host. The Common Vulnerabilities and Exposures assigned the following name to this issue: CVE-2007-4496.
    Thanks to Rafal Wojtczvk of McAfee for identifying and reporting this issue.
  • This release fixes a security vulnerability that might allow a guest operating system user without administrator privileges to cause a host process to stop responding or exit unexpectedly, making the guest operating system unusable. The Common Vulnerabilities and Exposures assigned the following name to this issue: CVE-2007-4497.
    Thanks to Rafal Wojtczvk of McAfee for identifying and reporting this issue.

You may also view a list of all knowledge base articles related to ACE 2.0.