Is there a unique computer identifier that can be used reliably even in a virtual machine?

user275683 picture user275683 · Jan 4, 2011 · Viewed 14.3k times · Source

I'm writing a small client program to be run on a terminal server. I'm looking for a way to make sure that it will only run on specified server and in case it is removed from the server it will stop functioning.

I understand that there are no methods to make it 100% secure, none the less I want to make it difficult for most power users to be able to do it.

I was looking at different Unique Identifiers like Processor ID, Windows Product ID, Computer GUID and other UIs. Because the terminal server is a virtual machine, I cannot locate anything that is completely unique to this machine.

Any ideas on what I should look into to make this mostly secure. I do not have time or the need to make it as secure as possible, because it will defeat the purpose of the application itself.

I do not want to user MAC address. Even though it is unique to each machine it can be spoofed by following instructions found on internet.

As far as Microsoft Product ID, because our system team clones VM servers and we use corporate volume key, I found already two servers that I have access to that have same Product ID Number. I have no Idea how many others out there that have same Product ID

Alternatively instead of trying to identify the machine, I might be better off by identifying the user and create group based permission handled through AD for access to this software.

Answer

Brian picture Brian · Jan 4, 2011

By design, uniquely identifying a virtual machine is difficult; anything that allowed you to uniquely identify it would imply that it was not fully virtual (because cloning a virtual machine should produce an identical machine).

  1. Create a heartbeat application on the host machine that communicates with the VM via a loopback network adapter.
  2. Have the heartbeat application refuse to run if it is not able to uniquely identify the host machine.
  3. Have the main application refuse to run if the heartbeat application is not running.

You will need to find a way to ensure that the heartbeat application cannot be spoofed too easily.

It is not possible to protect the terminal program 100%. This question is equivalent to trying to prevent software piracy.