Problem solve Get help with specific problems with your technologies, process and projects.

VDI security advice: Not as safe and easy as it seems

Combining Windows 7 and virtual desktops can improve security, but Brien Posey explains there are still many security issues that must be managed.

For current Windows XP customers who want to implement virtual desktops, it makes sense for solution providers to upgrade their customers to Windows 7 at the same time. However, it’s important to realize doing so will involve not only a simple operating system upgrade, but rather a fundamental restructuring of the customer’s desktop infrastructure.

Because the Virtual Desktop Infrastructure (VDI) presents its own security challenges, it is critical to evaluate how this restructuring will affect the desktop and VDI security.

Security benefits of Windows 7 and virtual desktops
A top priority for solution providers should be to migrate customers from Windows XP (or Windows Vista) to Windows 7. Not only are there revenue opportunities in doing so, but Windows XP is a decade old and lacks the security, features and hardware support of newer operating systems .At the same time, many organizations are also considering virtual desktop environments. Desktop virtualization has been described by some as a magical cure-all for desktop support woes since it allows for centralized desktop management. Although physical desktops can also be centrally managed by using workstation management software, virtual desktops all reside in a central datacenter and run on server-class hardware. The result is administrators can avoid some of the hassles of desktop management, such as pushing updates to physical desktops.

When customers commit to a Windows 7 upgrade implementation, it makes sense to suggest they also consider a VDI implementation as well.

So then, when customers commit to a Windows 7 upgrade implementation, it makes sense to suggest they also consider a VDI implementation.

One of the key drivers of Windows 7 is it is more secure than Windows XP, and moving to a virtual desktop infrastructure also improves security. For instance, a key security benefit is, in VDI environments, the user’s operating system typically runs on a backend host server rather than directly on the user’s desktop, physically isolating the user from their operating system. This isolation, and the fact that each virtual desktop can be reset to a pristine state at the end of each session, makes virtual desktops more resistant to end-user tampering and to malware infections than physical desktops.

VDI security realities
Even so, caution is advised: It would be irresponsible for a solution provider to sell VDI to customers based on the blanket statement that VDI improves security. Although VDI may be more secure than desktop PCs with locally installed operating systems, VDI also presents additional security challenges that do not exist in traditional desktop environments.

Some of these VDI security challenges stem from the added complexity compared to a traditional desktop environment. As complexity increases, so does the size of the underlying code’s footprint, which also increases the risk of some of the code containing a vulnerability that ambitious attackers could exploit. 

Perhaps the biggest VDI security challenge is that solution providers must be able to convince their customers that the VDI environment should be truly isolated. In other words, the user should not be able to copy anything from their local desktop to the VDI image or vice versa. Otherwise, there is a risk that the user could copy sensitive data onto a removable storage device or infect the virtual desktop image with malware. There are a number of different ways to accomplish this, ranging from the use of Windows Storage Device Policies (which can be modified through the registry) to using commercial products.

Another major security concern for VDI deployments has to do with the network endpoints from which users connect to VDI environments. In some cases these endpoints are simply terminals that boot directly from a network based virtual hard drive. More often, however, users connect to VDI environments through PCs acting as thin clients. There seems to be a perception among those considering deploying VDI that once VDI is in place, there is no need to maintain desktop PCs. However, nothing could be further from the truth, especially if the desktop PCs are running a full-blown Windows operating system, but also acting as thin clients running virtual desktop operating systems.

Even though users will be doing all their work through a VDI session, the desktop operating system facilitates connectivity to the virtual desktop. Therefore, if the desktop operating system were to become infected with a key logger, sensitive information could still be compromised even if the virtual desktop operating system remains in a pristine state. Likewise, viruses exist that link themselves to a Windows machine’s transport stack. Such viruses have access to any information being sent or received on the network. Such a virus (or a hack based on the same principle) could result in sensitive information being disclosed.

Therefore, if the users’ desktops are running Windows, it is important to deploy security patches to both the physical desktops and the virtual desktops. This can come as quite a shock to those who believe desktop virtualization will free them from patch management. It is also important to run antivirus software on physical and virtual desktops. Of course, this means twice as many antivirus licenses will be required, which will increase costs.

VDI can be a very viable solution to organizations that want to simplify application management, but solution providers must be careful not to sell VDI as a magical cure-all. Instead, solution providers should have frank discussions with their customers about the benefits and risks posed by VDI and work to develop solutions that provide the benefits of VDI while maintaining the security levels normally associated with traditional PCs.

About the author:
Brien Posey is a seven time Microsoft MVP (Windows, IIS, Exchange Server, & File Systems / Storage) with over two decades of IT experience. As a freelance technical writer, Brien has published thousands of articles and written or contributed to dozens of books on a variety of IT topics. Previously, Brien served as CIO for a national chain of hospitals and healthcare facilities. He has also served as a network administrator for some of the nation’s largest insurance companies and for the Department of Defense at Fort Knox.

Dig Deeper on Managed network security services