Security doubt about Windows contextualization


I have a doubt about Windows contextualization in KVM. For contextualization works, the contextualization script make a CDROM with file, where is the parameters of context.

The problem specified is the PASSWORD option. In Linux, this option can suppressed using ssh keys, but for windows it’s mandatory, for avoid default password. And the password is there, in clear text (even if you use base64, is of easy decoding). Any user of VM can read and get context parameters, includind the password.

A simple solution it seems to me be eject CDROM after apply context options. Would this bring any problem?

What do you think about this?

Why not separate your users so they only have permissions to access their own machines e.g. give them a resource limit then they can deploy in their own user space as opposed to everyone sharing the same access.

Yes, I do this. But my users share your VMs with your clients, which can be a problem, if the Administrator password stored in a text file disponible in the CDROM.

I solved this for me puting this in line 778 of file c:\programfiles (x86)\opennebula\context.ps1:
(new-object -COM Shell.Application).NameSpace(17).ParseName(‘D:’).InvokeVerb(‘Eject’)