Feeds

Securing the virtual desktop

All in the planning

Gartner critical capabilities for enterprise endpoint backup

Securing the endpoint has always been a headache for IT administrators. The less managed those endpoints are, the worse the headache is. In a virtualised desktop environment, where those operating systems and applications are more managed, does the problem go away?

Ostensibly, security is less of a problem in a virtual desktop environment. In a VDI or Remote Desktop Services implementation, the entire operating system and applications run centrally, and the user’s data remains in the data centre. Nevertheless, there are risks.

One quick-witted Reg reader pointed out that it would be relatively easy for an attack to spoof a thin client using a terminal emulator, for example, and then copy the streaming data to a local drive.

“There will always be risks,” argues David Cowan, of IT services firm Plan-Net. But he adds that there are things you can do to mitigate those risks. “That would be two factor authentication, or a remote access procedure where they have to go to a main portal be part of the network.”

Running all sessions through an encrypted connection broker can also help to secure user sessions from prying eyes. The connection broker can operate in a DMZ, shunting user sessions into a trusted part of the infrastructure as encrypted streams.

Various other attacks are possible on a virtualised desktop infrastructure. A hacker could gain access to an administrative account on a virtual machine, and use that platform to mount an attack on the hypervisor. It may also be possible to mount an attack using vulnerabilities in the virtualisation management software itself.

On the upside, the centralisation of the desktop makes it more manageable, which means that the well-prepared IT administrator will be able to lock down security more effectively. One of the first things that an administrator should do is to create a minimum security baseline.

Gold standard

This baseline should mandate a non-administrative access account for users, limiting the operating system’s exposure to attack. This minimum security baseline will generally form part of a ‘gold image’, that is then cloned for many users.

Other things to consider when creating this gold image include network access control agents for persistent desktops that maintain their state even when the user is logged off. This enables each virtual desktop to check in with a policy server on login, and ensures that it is updated with the latest patches.

It is also possible to rationalise anti-malware packages when using a gold image. Instead of installing all the available features and components of an anti-malware package, including a personal firewall and content scanner, virtual desktop administrators may choose to simplify the installation (and reduce the computational load) by running a single content scanner and firewall at the gateway.

This relies on the fact that all the desktops are contained in the data centre, with a perimeter which should be easier to manage. But each virtual machine will still need an anti-malware scanner. On a conventional stand-alone desktop, a virus scan uses only local resources, which eliminates the load on the server. But when that desktop is hosted on the server, a virus scan can significantly tax resources.

How can systems administrators mitigate this problem? Randomised on-demand scanning is one approach. On-demand scanning sweeps the whole virtual machine for malware in one shot, and can take a significant amount of time, but it can be carried out more easily in a server environment.

Non-persistent desktop image

Standalone machines on the network might be turned off at night, calling for Wake-On Lan functionality to start them up again for scanning purposes. In a server implementation, scans can be staggered throughout the night, and perhaps during the day if a desktop is not being used, to smooth out demand on server resources. Some products also offer offline scanning capabilities, where images can be scanned even when they’re not running.

The alternative is to dispense with on-demand scanning altogether by using a non-persistent desktop image. This type of virtualised desktop is destroyed when the user logs off and reborn, Phoenix-like, when the user logs on again, giving them a fresh image each time. It is then populated with user data and applications. On-access malware scanning can then run in the background, checking user files and emails for incoming viruses.

One of the upsides to this approach is that administrators can personalise a user’s desktop with custom sets of applications while keeping the underying operating system secure. This mix of personalisation and security has been difficult to achieve with conventional stand-alone thick clients in the past.

Security isn’t a foregone conclusion in a virtual desktop system, but it can be far easier to secure user sessions in these environments with correct planning. As with all desktop virtualisation projects, a little forethought goes a long way. ®

Next gen security for virtualised datacentres

More from The Register

next story
Reg man looks through a Glass, darkly: Google's toy ploy or killer tech specs?
Tip: Put the shades on and you'll look less of a spanner
So, Apple won't sell cheap kit? Prepare the iOS garden wall WRECKING BALL
It can throw the low cost race if it looks to the cloud
Apple promises to lift Curse of the Drained iPhone 5 Battery
Have you tried turning it off and...? Never mind, here's a replacement
Now that's FIRE WIRE: HP recalls 6 MILLION burn-risk laptop cables
Right in the middle of Burning Mains Man week
One step closer to ROBOT BUTLERS: Dyson flashes vid of VACUUM SUCKER bot
Latest cleaner available for world+dog in September
Apple's iWatch? They cannae do it ... they don't have the POWER
Analyst predicts fanbois will have to wait until next year
HUGE iPAD? Maybe. HUGE ADVERTS? That's for SURE
Noo! Hand not big enough! Don't look at meee!
Samsung Gear S: Quick, LAUNCH IT – before Apple straps on iWatch
Full specs for wrist-mounted device here ... but who'll buy it?
AMD unveils 'single purpose' graphics card for PC gamers and NO ONE else
Chip maker claims the Radeon R9 285 is 'best in its class'
prev story

Whitepapers

Best practices for enterprise data
Discussing how technology providers have innovated in order to solve new challenges, creating a new framework for enterprise data.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?