VDI vendors such as Citrix Systems and Ceedo now support User Installed Applications for virtual desktops.
While end users welcome the ability to install applications directly to their virtual desktops, User Installed Apps can be big problems for IT pros.
Let's consider some of the reasons why allowing users to install their own applications is a bad idea and how you can prevent some potential issues.
Why User Installed Apps is a bad idea
There are a number of reasons why users installing their own applications onto virtual desktops is troublesome. For starters, an organization is legally responsible for licensing any software that runs on its systems. If a user installs an unauthorized application, the organization is responsible for licensing that application.
Another problem with giving users the ability to install software is that doing so increases the chances of a malware infestation. Even if a user does not intentionally install an infected application, the chances that a malicious email attachment or a drive-by download infecting the virtual desktop increases.
A third reason why it is a bad idea to let users install their own wares is that in a VDI environment, resource consumption is a major issue. All of the virtual desktops share a finite pool of physical hardware resources. Authorized applications are tested to ensure that they do not consume excessive CPU cycles, disk I/O or network bandwidth. A rogue application can upset the delicate balance of hardware provisioning that is in place.
Finally, unauthorized applications increase support costs. If the help desk has to troubleshoot a problem with a virtual desktop, they make certain assumptions based on the way that the virtual desktop is known to be configured. An unauthorized application might replace DLL files or make registry changes that cause problems with other applications. The help desk technician might not immediately spot these problems because they are initially unaware of the unauthorized application's existence.
Preventing User Installed Applications
You can easily prevent users from installing unauthorized applications by simply tightening the NTFS permissions on the virtual desktops, but this does little to prevent the spread of malware. After all, there are some operating systems folders for which the user must have write permissions for the operating system to work correctly (such as the Internet Explorer cache). Malware authors often exploit such weaknesses in the operating system.
Tightening NTFS permissions also does nothing to prevent users from running applications that do not require installation. For example, right now I have a screen capture application open on my desktop that does not require installation -- it can be run from a flash drive or from any other form of removable media. An end user could easily use such an application to leak sensitive data.
If your virtual desktops run Windows 7, you can prevent users from installing or running unauthorized applications through the use of Microsoft AppLocker. AppLocker is a feature that is built into Windows 7 to control which files users are allowed to execute.
An administrator can specify the applications that users are and are not allowed to run through AppLocker policies. For instance, an admin might choose to block a specific file based on the executable's hash, or they might want to allow any digitally signed application from a trusted publisher.
Although AppLocker prevents users from installing or running unauthorized applications, managing AppLocker in a VDI environment can be difficult. Virtual desktops evolve over time as new versions of applications and software patches are applied. That means IT has to create corresponding rules in AppLocker to prevent patches and upgrades from being blocked. Many administrators have found that the current version of AppLocker is simply too ridged to function efficiently in a highly dynamic environment.
In addition to AppLocker, there are several third-party products available for application whitelisting. One option is Parity from Bit9. I have worked with Parity for several years and can personally attest to the fact that it works really well.
Another product is Bouncer from CoreTrace. I have never actually used Bouncer before, but have read good things about it. Both Parity and Bouncer provide more granular control over the application whitelisting process than what is available through AppLocker.
ABOUT THE AUTHOR:
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies.