Physical vs. virtual desktop security: It's just not the same

You can't use the same methods to secure physical and virtual desktops. Here's how to change your tactics when it comes to antivirus scans and more.

A friend from Texas once told me that you protect your back door with a dog and your front door with a shotgun.

When it comes to virtual desktop security, those words ring especially true.

The point is this: The security tactic you employ depends on what you're securing and who you're protecting it from. Thieves come through the back door. Your teenage daughter's boyfriends come to the front. You want thieves to run as soon as they hear your Rottweiler, but you want the boyfriend to walk up and see your shotgun by the door as you greet him with a firm handshake.

Similarly, virtual and physical desktops require very different security techniques. With virtual desktops, you are protecting a different type of asset and potentially a different audience -- as well as dealing with new risks. Some of the standard desktop security practices used in the physical world might apply, but others are outdated when it comes to VDI security.

Here's how the differences between physical and virtual desktop security play out:

Corralling viruses

Getting rid of a virus on a virtual desktop is like being able to eliminate a rat infestation from an entire city without harming any residents or their homes. By using golden images, you preserve the healthy state of the desktop, which can be easily restored. Simply shut down machines for emergency maintenance and force all logoffs in sections, then bring them up in isolated networks or boot users into an image instead. Make sure to include a stricter local firewall policy until the virus is wiped from the network.

More on VDI security

How VDI can make your desktop security worse

VDI: The answer to desktop security nightmares

Top 5 ways VDI can improve enterprise security

Many administrators disable the Windows Firewall because it can be a nuisance for systems management, but it comes in handy for virtual desktop security. Build your golden image normally with the Windows Firewall disabled, but then build a version with the firewall enabled -- with a strict policy allowing only outbound connections. If a virus occurs, force the firewall-enabled image to be the base image for all users. They will then be able to connect to their resources, but each system will now be isolated.

As for detecting viruses, VDI security admins should change their tactics as well. Imagine 2,000 (or even 200) virtual machines all scanning their drives at the same time. The storage I/O load could bring the entire environment to a screeching halt.

Here are some new virtual desktop security tactics to consider:

  • Use randomized downloads and scan windows to limit the number of systems running updates and doing a full scan.
  • Use your antivirus product's ability to pre-scan, approve and ignore files from a gold image or clone. Instead, only scan new files that were created and modified. Each of the major vendors now has specific procedures for golden images in VDI.

Controlling Internet usage

As environments shift to virtual desktops, system and user policies become more prevalent. IT organizations should become familiar with policy-based controls such as Group Policy Objects, Symantec Endpoint Protection, etc. These tactics improve VDI security by centralizing control of the user environment.

Here are some areas you can easily control using virtual desktop security policies:

  • Age of temporary files stored by browsers
  • Types of files that can be downloaded
  • Where to download the files. This allows you to control the location for better visibility.
  • Controlling scripts that can be executed
  • Sites that are granted higher privileges

Security practices of the past may not necessarily apply to VDI security. Here is a more complete breakdown of the differences between physical and virtual desktop security:

Security risk Physical/legacy desktop Virtual desktop Recommendation
Viruses on PC drives Regular full scan needed to catch files missed with real-time scanning Full scan no longer necessary and can kill VDI performance Use antivirus pre-scanning features
Viruses on network drives Most files are local with some on servers; server files are scanned separately VDI places more data on shared storage resources (profiles, folder redirection); expect more files to scan on servers Expect more I/O load on file servers; give more spindles or higher priority in SAN during scan windows
Internet downloads Difficult to control Use of policies (GPOs, for instance) provides better control Focus on entry points (gateways, firewalls) and policies rather than endpoints
System isolation A necessary but time-consuming method to deal with infestation Allows for system isolation and force-boot of highly protected systems to keep users working Prepare a base image just for this scenario
Access/firewall policies Windows Firewall to protect desktop OS when it roams outside Even if the user and endpoint is mobile, VDI machine is still at the data center Put money into data center/gateway security instead
Data loss prevention (DLP) DLP used to scan data at rest and in transit to protect corporate assets Same tactic as physical but can now control connection of external devices (USB drives) better through VDI policies VDI does not eliminate the need for DLP
Drive encryption Prevents information theft when drives are removed or laptops are stolen No need for encryption because VM is at the data center in a controlled environment Save your money and don't buy whole-disk encryption

 

This was first published in July 2012

Dig deeper on Virtual desktop management

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Related Discussions

Eugene Alfaro asks:

What do you find most problematic when securing virtual desktops?

0  Responses So Far

Join the Discussion

2 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchEnterpriseDesktop

SearchServerVirtualization

SearchCloudComputing

SearchConsumerization

SearchVMware

Close