Many articles tout the security benefits of virtual desktop infrastructures, but few actually detail what they are. Here are the top five reasons why VDI can enhance the security posture of your organization.
The aspect of virtual desktop infrastructures (VDI) that can save the most time is keeping end-user desktops up to date with security patches. In a traditional environment, administrators must ensure that all desktops receive proper patch management care, including the following measures:
- Assessment: Which patches are needed on which systems, including 32-bit vs. 64-bit, Microsoft vs. third party, etc.?
- Scheduling: When will patches be deployed to each system?
- Deployment: Ensure that each system receives the proper set of patches and that they are properly executed.
- Reboot: Many patch deployments require reboots.
- Rescan: Reassess the machines post-reboot to make sure they were fully patched.
The above process can require significant amounts of time, effort and bandwidth. For example, take a network of 200 Windows XP Service Pack 3 systems. Microsoft's October 2009 security bulletin releases included 12 patches for the operating system and Internet Explorer -- not including patches for the .NET Framework, SQL or Office.. The 12 patches amount to 14 MB of binaries that must be distributed to each system -- close to 3 GB to deploy all patches
By moving to a VDI, this patching process can be significantly simplified: Install all required patches to the central master image.
One machine. One set of patches. One reboot. Voila! All 200 VDI instances are now patched.
Of course, if you have several master images -- such as 32-bit, 64-bit, Windows XP or Vista. -- make sure to patch each image.
Each computer in a network should be properly configured as per corporate security guidelines. This includes items such as file and access control lists, remote registry access, enabled services and account policies. Some of these items can be set via Group Policy, but many of the settings are configured when a machine is first built and are never reviewed again after system deployment. This can lead to the systems administrator's nightmare: "configuration drift."
By starting with a master VDI image, the system configuration settings can be specified at one time in one place. Each time users launch a VDI session, they receive the settings from the master image. (This assumes that the image is configured so that user-supplied data, not system changes, are stored in a space separate from the master image that can persist across sessions. See your VDI vendor documentation.)
By centrally controlling the configuration drift, you've significantly enhanced the security posture of all of your desktops. This is particularly important in industries that must comply with regulations such as the Payment Card Industry Data Security Standards, the Health Insurance Portability and Accountability Act or the Sarbanes-Oxley Act.
Endpoint firewalls, such as those built into Windows XP and Vista, provide a great first barrier to protecting the system and data on that system from insider attacks. Unfortunately, not enough companies enable their endpoint firewalls when connected to the internal network.
While group policy settings can help control firewall configurations, it's easiest to configure the firewall policies and exceptions on one master image and roll out that image via VDI. Changes to the policy, particularly for necessary application exceptions, can be made in one place in real time -- ensuring all VDI sessions receive the changes when needed rather than having to waiting for group policy updates in a traditional environment.
4. Application Control
Even if you've properly patched and configured your system and the firewall has been enabled, end users can still thwart security policies by installing applications on their desktops. If these applications aren't properly patched or configured, they can provide easy entry for hackers. Or, much worse, end users may install unapproved apps that include malware or spyware, or they may open covert channels for intruders to access data on the system.
Implementing VDI for end users provides an opportunity to lock down the applications that are allowed on the desktop. While draconian in nature, this step can take you a long way toward securing the network. Depending upon your VDI vendor, OS settings and implementation method, applications that weren't installed on the base image can be blocked from installing. In the worst case, any unapproved application that does find its way onto the image may be wiped out during the next session initiation that's refreshed from the master image.
Managing antivirus agents on more than 200 desktops can be a full-time task. In contrast, managing one agent on the master image may be all that's needed. Perform nightly antivirus scans of the master image. This can be done in a traditional manner with the image turned on, or it can be done remotely with the image turned off using the offline mounting tools supplied by the virtualization vendor.
If you're happy with the antivirus system on the master image, don't enable it for the VDI sessions. Instead, consider one of the newer, free, cloud-based reputation services such as Immunet Protect. These antivirus products are usually very lightweight, efficient engines that monitor users' actions and protect them from doing anything that might pose a threat to the system. It's a much easier, and potentially more cost-effective, solution to antivirus and antimalware than using signature-based programs on each endpoint.
Moving to VDI can benefit your enterprise in many ways, but none will be more welcome to systems and security administrators than easing their security burden. Central management of the master images can provide efficiencies and advantages for patch management, configuration management, firewall settings, application control and antivirus protection.
ABOUT THE AUTHOR:
Eric Schultze is an independent security consultant who most recently designed Microsoft patch management solutions at Shavlik Technologies. Prior to Shavlik, Schultze worked at Microsoft, where he helped manage the security bulletin and patch-release process. Schultze likes to forget that he used to work as an internal auditor on Wall Street.
This was first published in October 2009