Andrea Danti - Fotolia
3 steps to lock down VDI security
Despite a popular myth, virtual desktops are susceptible to security breaches just like traditional desktops. IT admins can improve VDI security by following these best practices.
It's a common myth that VDI is inherently more secure than traditional desktop environments, but the reality is virtual desktops are still susceptible to attacks and security issues.
IT administrators can improve VDI security by following some essential best practices.
Restrict, disable services
A secure VDI environment is one that's pared down to only what an organization needs. End users with access to unnecessary services and networks can cause significant security risks.
Malicious employees, for example, could transfer sensitive business data from the virtual desktop to a local USB. For that reason, IT should disable access to a local USB drive. Alternatively, IT could disallow copy and paste functions, but taking that step could prevent productivity, as well. To further prevent data theft and migration, IT should develop a whitelist or a blacklist to ensure end users cannot access certain external sites or email providers.
IT should also evaluate the master image for extraneous services. The search function and printer spooler, for example, are often unnecessary services in Windows desktops that waste memory and hinder VDI security.
Use VDI security tools
IT should implement basic security measures, such as firewalls and antivirus software. For antivirus software, IT must decide whether to run agentless or agent software on each VM. Agentless software offers better performance and reduced need for IT maintenance. IT should then ensure the software can support each layer of the VDI stack, including hypervisors that run on servers and the guest OSes running on VMs. Finally, IT pros should ensure the antivirus software is compatible with existing infrastructure, such intrusion detection and prevention systems.
A comprehensive monitoring tool is another effective way to secure virtual desktops, because it gives IT both high-level and granular views of an organization's infrastructure. IT should choose a tool that provides the right metrics, such as access to sensitive resources and network activity, to track and prevent security issues.
Virtual desktops aren't immune to malware or ransomware, either. IT can implement third-party malware detection tools to increase VDI security. VMware admins, for example, can use Sophos for Virtual Environments or Trend Micro Deep Security; Citrix admins can use Bitdefender.
Don't forget RDP
Organizations that use Microsoft's Remote Desktop Protocol, or RDP, should be on high alert for potential security issues, such as BlueKeep, especially if they run older versions of Windows OSes. IT should evaluate whether remote access is truly necessary for all machines and disable access to those that don't need it using Group Policy. IT can also use Group Policy to require users to authenticate before they can create a remote session.
Require two-factor authentication
Two-factor authentication (2FA) provides an extra security layer by requiring end users to prove their identities in multiple ways, such as entering a password, using a mobile device or scanning a fingerprint. Both VMware Horizon and Citrix Virtual Apps and Desktops support 2FA, but it does require setup.
Admins can implement Citrix's 2FA service, NetScaler, in the cloud or on premises. On-premises organizations can integrate NetScaler Gateway with Azure Active Directory, but they must pay Azure licensing fees. Alternatively, Citrix admins could use Google ReCAPTCHA, a free tool, but they first must set up Citrix's nFactor technology.
VMware admins running Horizon View can use any authentication device that supports RSA, including Google Authenticator. IT must turn on 2FA within the Horizon View console and ensure RSA tokens are functioning properly.