VMware View security is critical for your virtual desktops. You can use many of the same best practices used to secure physical desktops for VDI security, but solid VMware View security requires some additional considerations.
For many environments, antivirus is of course an important component of VMware View security. But antivirus is one of the few applications that cannot be virtualized with products such as VMware ThinApp, so antivirus software must be installed in the base image(s). For View Composer-based pools, you can easily update virtual machines (VMs) with the latest antivirus definitions and recompose the entire pool. With persistent or individual virtual desktops, you can usually manage antivirus the same way you would with physical desktops.
Some administrators forego antivirus in virtual desktops altogether to reduce memory, CPU and disk usage. This can be an acceptable risk if you implement proper VDI security at every other point in the infrastructure. That includes filtering potentially malicious websites, antivirus scanning on file servers and email servers, proper edge security and more.
A better way to boost VMware View security without installing antivirus software is to use VMware's vShield Endpoint feature, which offloads antivirus processes from individual VMs to a virtual appliance. With this model, a single definition update automatically protects all virtual desktops without having to recompose the entire pool. This appliance also centralizes and reduces the system resources needed to provide antivirus functionality.
VDI security principles don’t usually call for admins to run firewalls locally on each desktop, but introducing View could require changes to network firewall rules. This VMware Knowledge Base article outlines the firewall rules that may be necessary between the different components of a View environment. The most common rules you may have to create or change are those associated with components in the demilitarized zone (DMZ), including the VMware View Security and Transfer Servers.
Maintaining VMware View security is still possible even if users access the infrastructure remotely. You can achieve the best desktop security by placing one or more View Security Servers into the DMZ, which provides end users a connection point into the infrastructure without allowing their device direct access to the secure network.
This VDI security measure can also be useful if you want to isolate non-employees onto a network segment that cannot communicate with the secure network, while still providing them with virtual desktops that have full access to the network.
Patches and updates
Simplified patching and updates inside virtual desktop operating systems is a major advantage of VDI over dedicated physical desktops. By updating the parent image, testing it and then recomposing the pool, you can quickly and reliably update all your View virtual desktops to the latest software versions.
VMware View contains built-in support for both smart cards and RSA SecurID. Using a smart card for authentication allows an automatic disconnect once the smart card is removed, ensuring good desktop security. This scenario is very popular in healthcare, to automatically end a nurse’s session once they leave a patient's room, for instance.
By default, a user's login to the View infrastructure will pass through to the virtual desktop, even when using a multifactor authentication mechanism. This can provide a much smoother end user experience. If VMware View security is a concern, however, you may want to force the users to enter credentials twice or have them log in to the desktop with a separate account than they use to access the View infrastructure. To disable pass-through authentication, set the AllowSingleSignon option to Disabled in the View Agent ADM template and apply it to your virtual desktops.
USB and printer redirection
You can also disable USB and printer redirection across the View infrastructure, desktop pool or an individual user policy. This improves VMware View security by securing the data so it cannot be copied to a local portable storage device or printed to an unsecured printer.
Desktop pool segregation
Using the vShield Edge add-on to vSphere, admins can segregate individual pools of desktops from one another. Segregation can provide an extra layer of VDI security that’s difficult to achieve in a physical desktop deployment. This approach to VMware View security can be useful for providing a layer of separation and access control for desktops that need to be separated from the rest of the organization, such as human resources, contractors or developers.
By default, all components in the VMware View infrastructure, including vCenter Server, use a self-signed certificate for securing SSL channels. As a VDI security best practice, you should replace these with one created by a trusted certificate authority. That will reduce the likelihood of a man-in-the-middle attack and eliminate the warnings that vSphere client and View Administration console users receive when connecting to these tools.
All these considerations can enhance VMware View security and make your deployment easier to manage. VMware’s View Security Hardening Guide and Anti-Virus Practices for View can also help you boost VDI security with your virtual desktops.
This was first published in October 2011