Feeds

Securing the virtual desktop

All in the planning

High performance access to file storage

Securing the endpoint has always been a headache for IT administrators. The less managed those endpoints are, the worse the headache is. In a virtualised desktop environment, where those operating systems and applications are more managed, does the problem go away?

Ostensibly, security is less of a problem in a virtual desktop environment. In a VDI or Remote Desktop Services implementation, the entire operating system and applications run centrally, and the user’s data remains in the data centre. Nevertheless, there are risks.

One quick-witted Reg reader pointed out that it would be relatively easy for an attack to spoof a thin client using a terminal emulator, for example, and then copy the streaming data to a local drive.

“There will always be risks,” argues David Cowan, of IT services firm Plan-Net. But he adds that there are things you can do to mitigate those risks. “That would be two factor authentication, or a remote access procedure where they have to go to a main portal be part of the network.”

Running all sessions through an encrypted connection broker can also help to secure user sessions from prying eyes. The connection broker can operate in a DMZ, shunting user sessions into a trusted part of the infrastructure as encrypted streams.

Various other attacks are possible on a virtualised desktop infrastructure. A hacker could gain access to an administrative account on a virtual machine, and use that platform to mount an attack on the hypervisor. It may also be possible to mount an attack using vulnerabilities in the virtualisation management software itself.

On the upside, the centralisation of the desktop makes it more manageable, which means that the well-prepared IT administrator will be able to lock down security more effectively. One of the first things that an administrator should do is to create a minimum security baseline.

Gold standard

This baseline should mandate a non-administrative access account for users, limiting the operating system’s exposure to attack. This minimum security baseline will generally form part of a ‘gold image’, that is then cloned for many users.

Other things to consider when creating this gold image include network access control agents for persistent desktops that maintain their state even when the user is logged off. This enables each virtual desktop to check in with a policy server on login, and ensures that it is updated with the latest patches.

It is also possible to rationalise anti-malware packages when using a gold image. Instead of installing all the available features and components of an anti-malware package, including a personal firewall and content scanner, virtual desktop administrators may choose to simplify the installation (and reduce the computational load) by running a single content scanner and firewall at the gateway.

This relies on the fact that all the desktops are contained in the data centre, with a perimeter which should be easier to manage. But each virtual machine will still need an anti-malware scanner. On a conventional stand-alone desktop, a virus scan uses only local resources, which eliminates the load on the server. But when that desktop is hosted on the server, a virus scan can significantly tax resources.

How can systems administrators mitigate this problem? Randomised on-demand scanning is one approach. On-demand scanning sweeps the whole virtual machine for malware in one shot, and can take a significant amount of time, but it can be carried out more easily in a server environment.

Non-persistent desktop image

Standalone machines on the network might be turned off at night, calling for Wake-On Lan functionality to start them up again for scanning purposes. In a server implementation, scans can be staggered throughout the night, and perhaps during the day if a desktop is not being used, to smooth out demand on server resources. Some products also offer offline scanning capabilities, where images can be scanned even when they’re not running.

The alternative is to dispense with on-demand scanning altogether by using a non-persistent desktop image. This type of virtualised desktop is destroyed when the user logs off and reborn, Phoenix-like, when the user logs on again, giving them a fresh image each time. It is then populated with user data and applications. On-access malware scanning can then run in the background, checking user files and emails for incoming viruses.

One of the upsides to this approach is that administrators can personalise a user’s desktop with custom sets of applications while keeping the underying operating system secure. This mix of personalisation and security has been difficult to achieve with conventional stand-alone thick clients in the past.

Security isn’t a foregone conclusion in a virtual desktop system, but it can be far easier to secure user sessions in these environments with correct planning. As with all desktop virtualisation projects, a little forethought goes a long way. ®

High performance access to file storage

More from The Register

next story
Feast your PUNY eyes on highest resolution phone display EVER
Too much pixel dust for your strained eyeballs to handle
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Report: Apple seeking to raise iPhone 6 price by a HUNDRED BUCKS
'Well, that 5c experiment didn't go so well – let's try the other direction'
Rounded corners? Pah! Amazon's '3D phone has eye-tracking tech'
Now THAT'S what we call a proper new feature
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
Nvidia gamers hit trifecta with driver, optimizer, and mobile upgrades
Li'l Shield moves up to Android 4.4.2 KitKat, GameStream comes to notebooks
AMD unveils Godzilla's graphics card – 'the world's fastest, period'
The Radeon R9 295X2: Water-cooled, 5,632 stream processors, 11.5TFLOPS
Sony battery recall as VAIO goes out with a bang, not a whimper
The perils of having Panasonic as a partner
NORKS' own smartmobe pegged as Chinese landfill Android
Fake kit in the hermit kingdom? That's just Kim Jong-un-believable!
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.