Feeds

Securing the virtual desktop

All in the planning

Boost IT visibility and business value

Securing the endpoint has always been a headache for IT administrators. The less managed those endpoints are, the worse the headache is. In a virtualised desktop environment, where those operating systems and applications are more managed, does the problem go away?

Ostensibly, security is less of a problem in a virtual desktop environment. In a VDI or Remote Desktop Services implementation, the entire operating system and applications run centrally, and the user’s data remains in the data centre. Nevertheless, there are risks.

One quick-witted Reg reader pointed out that it would be relatively easy for an attack to spoof a thin client using a terminal emulator, for example, and then copy the streaming data to a local drive.

“There will always be risks,” argues David Cowan, of IT services firm Plan-Net. But he adds that there are things you can do to mitigate those risks. “That would be two factor authentication, or a remote access procedure where they have to go to a main portal be part of the network.”

Running all sessions through an encrypted connection broker can also help to secure user sessions from prying eyes. The connection broker can operate in a DMZ, shunting user sessions into a trusted part of the infrastructure as encrypted streams.

Various other attacks are possible on a virtualised desktop infrastructure. A hacker could gain access to an administrative account on a virtual machine, and use that platform to mount an attack on the hypervisor. It may also be possible to mount an attack using vulnerabilities in the virtualisation management software itself.

On the upside, the centralisation of the desktop makes it more manageable, which means that the well-prepared IT administrator will be able to lock down security more effectively. One of the first things that an administrator should do is to create a minimum security baseline.

Gold standard

This baseline should mandate a non-administrative access account for users, limiting the operating system’s exposure to attack. This minimum security baseline will generally form part of a ‘gold image’, that is then cloned for many users.

Other things to consider when creating this gold image include network access control agents for persistent desktops that maintain their state even when the user is logged off. This enables each virtual desktop to check in with a policy server on login, and ensures that it is updated with the latest patches.

It is also possible to rationalise anti-malware packages when using a gold image. Instead of installing all the available features and components of an anti-malware package, including a personal firewall and content scanner, virtual desktop administrators may choose to simplify the installation (and reduce the computational load) by running a single content scanner and firewall at the gateway.

This relies on the fact that all the desktops are contained in the data centre, with a perimeter which should be easier to manage. But each virtual machine will still need an anti-malware scanner. On a conventional stand-alone desktop, a virus scan uses only local resources, which eliminates the load on the server. But when that desktop is hosted on the server, a virus scan can significantly tax resources.

How can systems administrators mitigate this problem? Randomised on-demand scanning is one approach. On-demand scanning sweeps the whole virtual machine for malware in one shot, and can take a significant amount of time, but it can be carried out more easily in a server environment.

Non-persistent desktop image

Standalone machines on the network might be turned off at night, calling for Wake-On Lan functionality to start them up again for scanning purposes. In a server implementation, scans can be staggered throughout the night, and perhaps during the day if a desktop is not being used, to smooth out demand on server resources. Some products also offer offline scanning capabilities, where images can be scanned even when they’re not running.

The alternative is to dispense with on-demand scanning altogether by using a non-persistent desktop image. This type of virtualised desktop is destroyed when the user logs off and reborn, Phoenix-like, when the user logs on again, giving them a fresh image each time. It is then populated with user data and applications. On-access malware scanning can then run in the background, checking user files and emails for incoming viruses.

One of the upsides to this approach is that administrators can personalise a user’s desktop with custom sets of applications while keeping the underying operating system secure. This mix of personalisation and security has been difficult to achieve with conventional stand-alone thick clients in the past.

Security isn’t a foregone conclusion in a virtual desktop system, but it can be far easier to secure user sessions in these environments with correct planning. As with all desktop virtualisation projects, a little forethought goes a long way. ®

The essential guide to IT transformation

More from The Register

next story
Top Gun display for your CAR: Heads-up fighter pilot tech
Sadly Navdy kit doesn't include Sidewinder missile to blast traffic
FEAST YOUR EYES: Samsung's Galaxy Alpha has an 'entirely new appearance'
Wow, it looks like nothing else on the market, for sure
iPhone 6 flip tip slips in Aussie's clip: Apple's 'reversible USB' leaks
New plug not compatible with official Type-C, according to fresh rumors
YES YES YES! Apple patents mousy, pressure-sensing iVibrator
Fanbois prepare to experience the great Cupertin-O
Apple takes blade to 13-inch MacBook Pro with Retina display
Shaves price, not screen on mid-2014 model
TV transport tech, part 1: From server to sofa at the touch of a button
You won't believe how much goes into today's telly tech
NVIDIA claims first 64-bit ARMv8 SoC for Androids
Mile-High 'Denver' Tegra K1 successor said to rival PC performance
XBOX One will learn to play media from USB and DLNA sources
Hang on? Aren't those file formats you hardly ever see outside torrents?
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.