Virtual desktop security guide

Virtual desktop security guide

How to put your VDI environment under lock and key

With the variety of endpoints in corporate environments today, security is more important than ever. Plus, users are becoming increasingly independent, making it difficult for IT to manage passwords, application settings and network access.

Virtual desktop infrastructure (VDI) can make your desktops either more secure or less so. Storing data on VDI servers in the data center is more secure than storing it locally on the user's endpoint, and administrators have greater control over desktop and app distribution. At the same time, allowing users to access virtual desktops remotely puts your network at risk.

To deal with those extra vulnerabilities, you need solid virtual desktop security measures. Learn how to protect the network, implement single sign-on, secure backup files and more with this guide.

Table of contents:

How VDI can improve desktop security

Implementing VDI can be a godsend for desktop security. That's because back-end servers provide an extra layer between the user's desktop and potential hackers.

Can VDI solve desktop security nightmares?
The influx of smartphones, USB drives and Internet-borne malware in the enterprise has made desktop security a bad dream for many admins. But with VDI, data and applications are on secure servers in the data center. That also allows IT to create and delete virtual desktops instantly.

Five ways VDI improves enterprise security
Every VDI environment has a master image from which all virtual desktops are created. You can configure firewalls and other settings on the master image that will enhance virtual desktop security. Plus, VDI gives IT more control over what apps users can install and access. It's easy to wipe applications during session initiation or block them from being downloaded in the first place.

Protecting VDI users from themselves
Users tend to change application settings or -- even worse -- install unauthorized software on their desktops. Luckily, if you deploy thin clients, those devices can only connect to VDI environments; they won't allow malware or media drives to infect the physical endpoint. If users make any application configuration changes, IT can have the profile directories reset after they log out.

How desktop virtualization can stop cybercriminals
Hackers can get into the most secure networks; not even your client or server network is safe. With VDI, however, IT can quickly dissolve the golden image if it's compromised. Plus, zero clients tend to be even more secure than thin clients because they have a smaller attack surface.

VDI security challenges

Hold your horses: VDI isn't always a golden ticket to desktop security. Virtualization can also present a new layer of vulnerability.

How VDI makes desktop security worse
Desktop virtualization takes users -- who are often unpredictable -- out of the field and into your data center. So, it's best not to allow them to install their own applications or have admin rights. Just because it's "easy" to refresh a master image doesn't mean you want to do that all the time.

Do you still need antivirus software?
Some admins think the inherent security of virtual desktops means you don't need antivirus software for virtual desktop security -- and hey, that would reduce resource overhead, too. You can revert an infected gold image back to a pure one, but that won't prevent you from getting the virus in the first place. Plus, virtual desktops, especially if they're accessed from mobile devices, offer more ways than ever for users to transfer data -- and contract viruses. The good news is that antivirus software companies such as McAfee and Symantec have tweaked their products for use in virtual desktop environments.

Desktop security concerns: Data at rest vs. live data
Although VDI provides centralized data (in the data center rather than on the endpoint), users can still get data onto the local device. That means hackers can access "data at rest" even on a powered-off endpoint. Plus, since virtual desktops are connected to the data center, an attack on one desktop could affect the whole lot.

One way to prevent that from happening is through isolation. Sandboxing is one isolation method that provides a container where documents can be opened and restricts the code that runs there. Another approach is micro-virtualization, which Bromium's vSentry offers.

Virtual desktop security measures you need to know

Now that you know how VDI can affect desktop security, check out these methods for securing virtual desktops.

Treat your office network as untrusted
It's a good idea to put a firewall between your office network and the data center network. Encryption in your Internet gateway also ensures that the corporate network is at lower risk. Finally, make policies for employee-owned mobile devices; it's smart to have a company-approved VDI client installed.

Using single sign-on to enhance desktop security
Single sign-on (SSO) makes things easier for end users because it allows them to access their virtual desktop from different locations without having to re-enter passwords for every application. You can also integrate SSO with two- or three-factor authentication to further backup software offers encryption.

How to get rid of viruses on virtual desktops
If one virtual desktop is infected, simply shut down the machine, then reboot the virtual desktop from the gold image and restart the endpoint in an isolated network. To prevent viruses in the first place, build one golden image with the Windows firewall disabled, then build another one with the firewall enabled that allows only outbound connections. In the case of a virus, you can use the firewall-enabled image to reconnect users to their virtual desktops instantly.

For the best virtual desktop security, it's also paramount that you monitor Internet usage. Set browser rules for the age of temporary files stored, website privileges, download locations and more.

Nine ways to ensure VMware View security
To ensure VMware View security, install antivirus software in the base image or else use VMware's vShield Endpoint to offload antivirus processes to a virtual appliance. It's also a good idea to place VMware View Security servers inside a DMZ. For greater virtual desktop security in spread-out environments, View also supports smart card authentication.

Creating security certificates in VMware View
Last but not least, it's important to understand security certificates, which validate browser, server and services connections to the virtual desktop. In VMware View, the process for creating certificate request files, submitting them to an authority and configuring the security servers is somewhat complicated.