virtualbox.org

Due to some security concerns, my company is removing VirtualBox VM from all machines.
The claim is by having the "Bridged networking" available which is bypassing some network controls (i.e. AD based firewall settings in Windows 10).

Is there a way (via Registry Settings for example) to restrict some of the Networking Modes?
This way, admin people can reduce "the risk" by disabling configurations like Bridged networking.

Bridged will bypass the host OS's network stack completely, if I understand correctly. See Virtualbox Networks: In Pictures: Bridged Adapter

Virtualbox can be installed without Bridged networking. If your IT dept has sufficient control of what and how programs get installed on the computers, it can turn off Bridged during Virtualbox installation or upgrade, then no VMs can Bridge.

I understand it is also possible to configure a fancy-enough network switch to not allow more than one computer to network through the switch port, which would also block Bridged, since Bridged VMs would appear as separate computers to the network. This setup is controlled in the switch's configuration, not by Virtualbox settings or installation, and might be even more controllable than setting Virtualbox installation parameters.

NAT and NAT Network do go through the host PC's network stack, so they should comply with host networking restrictions.

I would certainly think that is the way to attack the problem. It would prevent the vm from all direct access to the company LAN. The only way it can access the network is through the host's LAN connection. Any attempt to use bridged mode would fail, since bridged mode requires the vm to have its own port so that it can acquire is own IP etc from the DHCP server on the LAN.

We occasionally see posts on the forum from users on corporate LANs who cannot get bridged mode to work, and "one port per connection" settings on the switch is usually the cause.

This seems excessive to me, or based on a misunderstanding.

E.g. at my work it simply isn't possible to use Bridged Networking to access the company LAN, because the VM would be seen like any other unknown PC: not on the whitelist pal, byeee! I would be amazed if your office LAN allows unknown laptops to connect to anything.

Disabling the bridged feature would be like asking guests to disable their WiFi. Yes you could do it, but it's hardly a substitute for actual security.

What is the goal here? Is it securing the LAN, or it is stopping employees visiting questionable sites on company time?