maxkabakov - Fotolia
There are three quick steps that IT administrators can take to better secure VDI environments: disable local USB drives, segregate networks and keep the base image clean.
Virtual desktops can help IT pros quickly and effectively deliver desktops to users, but moving too fast can also pose a security risk. It's important to get VDI security right the first time to avoid costly data breaches. These tips should help improve VDI security and reduce the damage if a security breach occurs.
Disable local USB
A local USB drive can present a significant security risk. Nearly all organizations give employees access to sensitive business data, but if an employee can use local USB devices, he could copy data from the virtual desktop to the local USB.
Device management software can force local devices to encrypt data, which mitigates the risk associated with an employee who loses a USB drive with sensitive data. However, this approach does not stop a malicious employee. The best way to prevent unauthorized data theft is to disable local USB access.
Administrators may also choose to disable copy and paste functions to prevent users from copying data from one virtual desktop to another. This measure may reduce user productivity, but the tradeoff could make sense if users have access to sensitive data.
Segregate networks and restrict access
Keeping IT management infrastructure separate from VDI helps reduce the risk of a single guest causing issues to the server infrastructure. Virtual LANs and appropriate firewall security are critical pieces to a secure VDI environment. If a user does not need protocol access, administrators should disable access. IT pros can use policies and groups to control the desktops that need access to various protocols. For example, developers might need access to protocols, such as WebDAV (Web Distributed Authoring and Versioning), FTP or Secure Socket Shell, that line-of-business employees do not.
It's also important to restrict the resources that virtual desktops can access. If a user can connect to an external email provider, other measures to restrict data migration and theft -- such as disabling local USB access -- are useless. If possible, admins should use a whitelist approach to external sites. It may take some time to build a comprehensive whitelist, but this approach is much more secure than a blacklist.
Scrutinize the master build
A well-thought-out and hardened master image is critical to creating a secure VDI environment.
Administrators should turn off unneeded services, such as the Windows search service and printer spooler services. Each user's needs will vary, but there are many services that users do not require, and leaving them enabled presents a security risk. Unneeded services also waste memory. If administrators disable these services for every VM across a large VDI deployment, they can reclaim significant RAM.
Admins should resist the temptation to bundle all applications into the base image. Instead, create a clean base image, and manage applications via profiles and groups.
Embrace nonpersistent virtual desktops, where possible. It is actually simple to provide users with new desktops each time they log in. Use profiles and profile disks to provide a persistent experience. If done correctly, the user won't know the difference. Under this approach, an administrator need only ensure the master image is up to date, whereas persistent virtual desktops require frequent patches.