Securing the virtual desktop
All in the planning
Securing the endpoint has always been a headache for IT administrators. The less managed those endpoints are, the worse the headache is. In a virtualised desktop environment, where those operating systems and applications are more managed, does the problem go away?
Ostensibly, security is less of a problem in a virtual desktop environment. In a VDI or Remote Desktop Services implementation, the entire operating system and applications run centrally, and the user’s data remains in the data centre. Nevertheless, there are risks.
One quick-witted Reg reader pointed out that it would be relatively easy for an attack to spoof a thin client using a terminal emulator, for example, and then copy the streaming data to a local drive.
“There will always be risks,” argues David Cowan, of IT services firm Plan-Net. But he adds that there are things you can do to mitigate those risks. “That would be two factor authentication, or a remote access procedure where they have to go to a main portal be part of the network.”
Running all sessions through an encrypted connection broker can also help to secure user sessions from prying eyes. The connection broker can operate in a DMZ, shunting user sessions into a trusted part of the infrastructure as encrypted streams.
Various other attacks are possible on a virtualised desktop infrastructure. A hacker could gain access to an administrative account on a virtual machine, and use that platform to mount an attack on the hypervisor. It may also be possible to mount an attack using vulnerabilities in the virtualisation management software itself.
On the upside, the centralisation of the desktop makes it more manageable, which means that the well-prepared IT administrator will be able to lock down security more effectively. One of the first things that an administrator should do is to create a minimum security baseline.
This baseline should mandate a non-administrative access account for users, limiting the operating system’s exposure to attack. This minimum security baseline will generally form part of a ‘gold image’, that is then cloned for many users.
Other things to consider when creating this gold image include network access control agents for persistent desktops that maintain their state even when the user is logged off. This enables each virtual desktop to check in with a policy server on login, and ensures that it is updated with the latest patches.
It is also possible to rationalise anti-malware packages when using a gold image. Instead of installing all the available features and components of an anti-malware package, including a personal firewall and content scanner, virtual desktop administrators may choose to simplify the installation (and reduce the computational load) by running a single content scanner and firewall at the gateway.
This relies on the fact that all the desktops are contained in the data centre, with a perimeter which should be easier to manage. But each virtual machine will still need an anti-malware scanner. On a conventional stand-alone desktop, a virus scan uses only local resources, which eliminates the load on the server. But when that desktop is hosted on the server, a virus scan can significantly tax resources.
How can systems administrators mitigate this problem? Randomised on-demand scanning is one approach. On-demand scanning sweeps the whole virtual machine for malware in one shot, and can take a significant amount of time, but it can be carried out more easily in a server environment.
Non-persistent desktop image
Standalone machines on the network might be turned off at night, calling for Wake-On Lan functionality to start them up again for scanning purposes. In a server implementation, scans can be staggered throughout the night, and perhaps during the day if a desktop is not being used, to smooth out demand on server resources. Some products also offer offline scanning capabilities, where images can be scanned even when they’re not running.
The alternative is to dispense with on-demand scanning altogether by using a non-persistent desktop image. This type of virtualised desktop is destroyed when the user logs off and reborn, Phoenix-like, when the user logs on again, giving them a fresh image each time. It is then populated with user data and applications. On-access malware scanning can then run in the background, checking user files and emails for incoming viruses.
One of the upsides to this approach is that administrators can personalise a user’s desktop with custom sets of applications while keeping the underying operating system secure. This mix of personalisation and security has been difficult to achieve with conventional stand-alone thick clients in the past.
Security isn’t a foregone conclusion in a virtual desktop system, but it can be far easier to secure user sessions in these environments with correct planning. As with all desktop virtualisation projects, a little forethought goes a long way. ®