The best way to lock down systems is to move to a virtual desktop infrastructure (VDI). Organizations have unlimited problems when they grant users administrative access on Windows PCs, yet it is very difficult to lock down an entire environment and continue to provide end users, especially travelling users, with the functionality they need to do their job. Of course, locking down systems has changed over the years as Microsoft has tried to address both the need for lockdown and the need for user freedom, but perceptions of lock-downs still persist. Users do not want it, but corporations need it to reduce costs and maintain system stability. How do you marry the two?
With a virtual desktop infrastructure, users' corporate PCs -- the ones they need to perform their actual work -- become virtual machines; and the endpoints -- the systems they use to access their corporate PCs -- become unmanaged systems to some degree. When you
Because of this, you can use a more relaxed management strategy for the endpoints, making sure they are updated and protected, but otherwise leaving them as is. After all, the endpoint can be anything from an actual PC to a terminal or even a public PC providing a Web browser. VMware Inc., one of the leading providers of VDI, is even moving to provide users access to virtual desktops through mobile devices.
It is easy to lock down virtual desktops because of the way they work. A virtual desktop is often constructed on the fly as a user logs in, if, that is, you are using the right VDI strategy. PCs are composed of three core components: the desktop operating system (OS), end user applications and user data (see Figure 1).
When user data is stored outside the PC through proper management strategies, you don't need to worry about the actual machine the user is working with because the user's data will not be trapped inside this machine. If applications are virtualized and applied as needed at user login through streaming technologies, the apps, then, are not attached to an actual machine. They are provided to any machine the user accesses. This leaves you to deliver a desktop OS to every user in your organization that is really nothing more than a core set of functionality, updates and utilities.
PC construction includes three core layers.
Using VDI to provide volatile PCs to your end users or PCs that are constructed when a user logs in and then discarded when a user logs off makes it much easier to lock down the desktop because the user only relies on this system to perform actual work and nothing else. And, because you do not control the user's endpoint as tightly, it will be much easier to negotiate with users in order to affect the lock-down of the virtual machines in your VDI environment. For locked-down environments, VDI can give you the best of all worlds: Corporations finally have control over desktop machines, albeit, virtual desktop machines, and end users have the openness they require on the endpoints they use to access the corporate PCs.
Table of Contents
- Tip 1: Verify device support in your hypervisor
- Tip 2: Identify desktop virtualization audiences
- Tip 3: Prepare and protect user profiles before virtualizing your desktop
- Tip 4: Use application virtualization before moving to VDI
- Tip 5: Lock down systems by switching to a VDI technology
ABOUT THE AUTHORS:
Danielle Ruest and Nelson Ruest are IT professionals focused on technology futures. Both are passionate about virtualization and continuous service delivery. They are authors of multiple books, including Windows Server 2008: The Complete Reference (McGraw-Hill Osborne), which is focused on building virtual workloads with this powerful new OS. They are currently writing Virtualization, A Beginner's Guide (McGraw-Hill Osborne). They are also performing a multi-city tour on Virtualization in the U.S. Feel free to contact them at firstname.lastname@example.org for any comments or suggestions.
This was first published in December 2008