Feeds

Securing the virtual desktop

All in the planning

3 Big data security analytics techniques

Securing the endpoint has always been a headache for IT administrators. The less managed those endpoints are, the worse the headache is. In a virtualised desktop environment, where those operating systems and applications are more managed, does the problem go away?

Ostensibly, security is less of a problem in a virtual desktop environment. In a VDI or Remote Desktop Services implementation, the entire operating system and applications run centrally, and the user’s data remains in the data centre. Nevertheless, there are risks.

One quick-witted Reg reader pointed out that it would be relatively easy for an attack to spoof a thin client using a terminal emulator, for example, and then copy the streaming data to a local drive.

“There will always be risks,” argues David Cowan, of IT services firm Plan-Net. But he adds that there are things you can do to mitigate those risks. “That would be two factor authentication, or a remote access procedure where they have to go to a main portal be part of the network.”

Running all sessions through an encrypted connection broker can also help to secure user sessions from prying eyes. The connection broker can operate in a DMZ, shunting user sessions into a trusted part of the infrastructure as encrypted streams.

Various other attacks are possible on a virtualised desktop infrastructure. A hacker could gain access to an administrative account on a virtual machine, and use that platform to mount an attack on the hypervisor. It may also be possible to mount an attack using vulnerabilities in the virtualisation management software itself.

On the upside, the centralisation of the desktop makes it more manageable, which means that the well-prepared IT administrator will be able to lock down security more effectively. One of the first things that an administrator should do is to create a minimum security baseline.

Gold standard

This baseline should mandate a non-administrative access account for users, limiting the operating system’s exposure to attack. This minimum security baseline will generally form part of a ‘gold image’, that is then cloned for many users.

Other things to consider when creating this gold image include network access control agents for persistent desktops that maintain their state even when the user is logged off. This enables each virtual desktop to check in with a policy server on login, and ensures that it is updated with the latest patches.

It is also possible to rationalise anti-malware packages when using a gold image. Instead of installing all the available features and components of an anti-malware package, including a personal firewall and content scanner, virtual desktop administrators may choose to simplify the installation (and reduce the computational load) by running a single content scanner and firewall at the gateway.

This relies on the fact that all the desktops are contained in the data centre, with a perimeter which should be easier to manage. But each virtual machine will still need an anti-malware scanner. On a conventional stand-alone desktop, a virus scan uses only local resources, which eliminates the load on the server. But when that desktop is hosted on the server, a virus scan can significantly tax resources.

How can systems administrators mitigate this problem? Randomised on-demand scanning is one approach. On-demand scanning sweeps the whole virtual machine for malware in one shot, and can take a significant amount of time, but it can be carried out more easily in a server environment.

Non-persistent desktop image

Standalone machines on the network might be turned off at night, calling for Wake-On Lan functionality to start them up again for scanning purposes. In a server implementation, scans can be staggered throughout the night, and perhaps during the day if a desktop is not being used, to smooth out demand on server resources. Some products also offer offline scanning capabilities, where images can be scanned even when they’re not running.

The alternative is to dispense with on-demand scanning altogether by using a non-persistent desktop image. This type of virtualised desktop is destroyed when the user logs off and reborn, Phoenix-like, when the user logs on again, giving them a fresh image each time. It is then populated with user data and applications. On-access malware scanning can then run in the background, checking user files and emails for incoming viruses.

One of the upsides to this approach is that administrators can personalise a user’s desktop with custom sets of applications while keeping the underying operating system secure. This mix of personalisation and security has been difficult to achieve with conventional stand-alone thick clients in the past.

Security isn’t a foregone conclusion in a virtual desktop system, but it can be far easier to secure user sessions in these environments with correct planning. As with all desktop virtualisation projects, a little forethought goes a long way. ®

SANS - Survey on application security programs

More from The Register

next story
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
US mobile firms cave on kill switch, agree to install anti-theft code
Slow and kludgy rollout will protect corporate profits
Leaked pics show EMBIGGENED iPhone 6 screen
Fat-fingered fanbois rejoice over Chinternet snaps
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Oh no, Joe: WinPhone users already griping over 8.1 mega-update
Hang on. Which bit of Developer Preview don't you understand?
Report: Apple seeking to raise iPhone 6 price by a HUNDRED BUCKS
'Well, that 5c experiment didn't go so well – let's try the other direction'
Feast your PUNY eyes on highest resolution phone display EVER
Too much pixel dust for your strained eyeballs to handle
Rounded corners? Pah! Amazon's '3D phone has eye-tracking tech'
Now THAT'S what we call a proper new feature
Hearthstone: Heroes of Warcraft – A jolly little war for lunchtime
Free-to-play WoW turn-based game when you have 20 minutes to kill
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.