A friend from Texas once told me that you protect your back door with a dog and your front door with a shotgun. When it comes to virtual desktop security, those words ring especially true.
The point is this: The security tactic you employ depends on what you're securing and who you're protecting it from. Thieves come through the back door. Your teenage daughter's boyfriends come to the front. You want thieves to run as soon as they hear your Rottweiler, but you want the boyfriend to walk up and see your shotgun by the door as you greet him with a firm handshake.
Similarly, virtual and physical desktops require very different security techniques. With virtual desktops, you are protecting a different type of asset and potentially a different audience -- as well as dealing with new risks. Some of the standard
Here's how the differences between physical and virtual desktop security play out:
Getting rid of a virus on a virtual desktop is like being able to eliminate a rat infestation from an entire city without harming any residents or their homes. By using golden images, you preserve the healthy state of the desktop, which can be easily restored. Simply shut down machines for emergency maintenance and force all logoffs in sections, then bring them up in isolated networks or boot users into an image instead. Make sure to include a stricter local firewall policy until the virus is wiped from the network.
More on VDI security
How VDI can make your desktop security worse
VDI: The answer to desktop security nightmares
Top 5 ways VDI can improve enterprise security
Many administrators disable the Windows Firewall because it can be a nuisance for systems management, but it comes in handy for virtual desktop security. Build your golden image normally with the Windows Firewall disabled, but then build a version with the firewall enabled -- with a strict policy allowing only outbound connections. If a virus occurs, force the firewall-enabled image to be the base image for all users. They will then be able to connect to their resources, but each system will now be isolated.
As for detecting viruses, VDI security admins should change their tactics as well. Imagine 2,000 (or even 200) virtual machines all scanning their drives at the same time. The storage I/O load could bring the entire environment to a screeching halt.
Here are some new virtual desktop security tactics to consider:
- Use randomized downloads and scan windows to limit the number of systems running updates and doing a full scan.
- Use your antivirus product's ability to pre-scan, approve and ignore files from a gold image or clone. Instead, only scan new files that were created and modified. Each of the major vendors now has specific procedures for golden images in VDI.
Controlling Internet usage
As environments shift to virtual desktops, system and user policies become more prevalent. IT organizations should become familiar with policy-based controls such as Group Policy Objects, Symantec Endpoint Protection, etc. These tactics improve VDI security by centralizing control of the user environment.
Here are some areas you can easily control using virtual desktop security policies:
- Age of temporary files stored by browsers
- Types of files that can be downloaded
- Where to download the files. This allows you to control the location for better visibility.
- Controlling scripts that can be executed
- Sites that are granted higher privileges
Security practices of the past may not necessarily apply to VDI security. Here is a more complete breakdown of the differences between physical and virtual desktop security:
|Security risk||Physical/legacy desktop||Virtual desktop||Recommendation|
|Viruses on PC drives||Regular full scan needed to catch files missed with real-time scanning||Full scan no longer necessary and can kill VDI performance||Use antivirus pre-scanning features|
|Viruses on network drives||Most files are local with some on servers; server files are scanned separately||VDI places more data on shared storage resources (profiles, folder redirection); expect more files to scan on servers||Expect more I/O load on file servers; give more spindles or higher priority in SAN during scan windows|
|Internet downloads||Difficult to control||Use of policies (GPOs, for instance) provides better control||Focus on entry points (gateways, firewalls) and policies rather than endpoints|
|System isolation||A necessary but time-consuming method to deal with infestation||Allows for system isolation and force-boot of highly protected systems to keep users working||Prepare a base image just for this scenario|
|Access/firewall policies||Windows Firewall to protect desktop OS when it roams outside||Even if the user and endpoint is mobile, VDI machine is still at the data center||Put money into data center/gateway security instead|
|Data loss prevention (DLP)||DLP used to scan data at rest and in transit to protect corporate assets||Same tactic as physical but can now control connection of external devices (USB drives) better through VDI policies||VDI does not eliminate the need for DLP|
|Drive encryption||Prevents information theft when drives are removed or laptops are stolen||No need for encryption because VM is at the data center in a controlled environment||Save your money and don't buy whole-disk encryption|
This was first published in July 2012