VDI Security in 2021: Threats and Solutions
by Gilad David Maayan
What is VDI and Why is it a Security Priority?
Virtual Desktop Infrastructure (VDI) is an enterprise technology that runs desktop operating systems, typically Windows or Linux, centrally managed in a local data center. VDI delivers virtual desktop images over the network to user endpoint devices—this allows users to interact with the operating system and its applications as if they were running locally. The endpoint can be a traditional PC, mobile device, thin client device, or zero client.
In large enterprises, VDI sites are typically based on VMware Horizon or Citrix Virtual Apps and Desktops. In smaller organizations, other virtualization technologies are used, primarily Microsoft Hyper-V.
VDI is a central priority for security teams in almost every organization that deploys it. This is because VDI servers run a large number of desktops, which contain sensitive applications and data. In many cases, senior employees and privileged roles use the VDI system, and a breach could grant attackers data to the organization’s “crown jewels”. Apart from this, VDI availability is critical for the organization’s productivity, and any disruption could cause major damage.
VDI Security Risks
VDI is a mission critical technology that, by definition, stores sensitive data and applications. A VDI deployment creates four primary attack surfaces:
- Hypervisors—attackers can use malware to infiltrate the operating system and take control of the hypervisor—this is known as hyperjacking. This elusive attack allows hackers to access everything connected to the server, from the server to virtual machines and storage resources.
- Virtual machines—it takes time to patch, maintain, and protect virtual machines. Each virtual machine has its own operating system and its own configuration. If this process is not done automatically, delays in deployment of security updates and patches put the entire VDI deployment at risk.
- Network—all networks are vulnerable to attack, but virtual network environments are particularly vulnerable because they share the same physical resources. For example, if one part of the virtual network is breached, routers and links in other virtual networks could be at risk as well, if they are not separated from the breached network by segmentation.
- Employees—insider threats are a growing cause of data breaches. This is especially true in VDI deployments, because employees connect to virtual desktops running as part of the VDI system. A malicious user, or a user with a compromised personal device or account, can attempt to breach other employee’s desktops or the VDI servers.
VDI Security Architecture
What do you need to secure a VDI deployment? Here are a few key components of a VDI security architecture.
- Integrated management—VDI resources such as virtual storage, virtual computing, and virtual networks are dynamic. Tracking changes to these resources requires a centralized management platform. Running VDIi with a single, enterprise-grade virtualization platform can accelerate and simplify the configuration of virtual desktops, as well as better protect data center infrastructure and workloads.
- Real time monitoring—it is important to detect abnormal and sudden changes in the virtual infrastructure in real time, and generate meaningful alerts. Security staff should treat alerts from VDI systems as a top priority and take quick action to maintain the integrity of virtual desktop data and resources. This is also important to demonstrate compliance with standards like GDPR, HIPAA and PCI DSS.
- Remote response—security staff do not have physical access to VDI resources, and they need a way to remotely respond to events happening in the virtualized environment. Tools like endpoint detection and response (EDR) deploy agents on virtual machines, and can help contain threats by isolating VMs or blocking network traffic.
- Vulnerability scanning—vulnerabilities can arise at any time in any part of the VDI deployment. Vulnerability scanning automatically checks for known vulnerabilities (CVEs) and security weaknesses such as weak or default passwords. Some vulnerability management systems can automatically take corrective action, such as patching vulnerable systems.
- Encryption and Data Loss Prevention (DLP)—protecting the infrastructure layer is not enough. Data is often the most valuable asset for attackers. To protect VDI data, encrypt virtual machine files, virtual disk files, and core dump files. DLP systems can monitor suspicious data movements, and block attempts to exfiltrate data outside the VDI system.
How to Enhance VDI Security: Best Practices
Restrict or Disable Services
A secure VDI environment should have only the software and services that desktop users actually need. End users with access to unwanted services and networks can pose serious security risks.
Here are some examples of end-user actions that can pose security risks:
- Access to local USB drives
- Copy and paste from virtual desktop to local desktop
- Screen capture and screen sharing
- Access to printer drivers
Administrators should balance employee’s needs with security requirements, and avoid hurting productivity, while limiting services that are not absolutely necessary. Unnecessary services should be removed from the master desktop image to begin with, so they do not exist at all in end user virtual desktops. This can also conserve storage space and improve performance.
In addition, IT staff should create a whitelist or blacklist of allowed applications and websites, to prevent end users from installing certain software or accessing external sites while working on a virtual desktop.
Deploy Security Tooling in the VDI Data Center
IT must implement basic security measures such as firewalls, intrusion protection/detection systems (IPS/IDS), and running endpoint protection software on each VM. Modern endpoint protection contains antivirus, application and content whitelisting, and behavioral analysis to detect suspicious behavior on the endpoint.
When considering endpoint protection in a virtualized environment, it is preferable to use agentless software, as it can improve performance and reduce the need for IT maintenance. Make sure that the endpoint protection tool can support all layers of the VDI stack, including a bare-metal hypervisor running directly on a server and guest operating systems on VMs.
Finally, put in place monitoring tools to gain visibility over the virtualized environment, and enable real time alerting. The monitoring tool must be able to detect suspicious access to compute resources, data and networks.
Secure End-User Devices with Endpoint Protection
Even if users are connecting to the VDI servers using secured corporate workstations or laptops, there is always the risk of attackers compromising the endpoint. This would give an attacker access to sensitive data and resources.
Two factor authentication cannot stop an attacker waiting on the end-user’s device, because they can simply wait for an authentication and then use the open session to penetrate VDI systems.
The modern security approach is to “assume breach” and prepare to deal with breaches of endpoints when they inevitably happen. Endpoint Detection and Response (EDR) tools do exactly that—they make it possible for security teams to quickly detect a breach on an endpoint device, investigate it, and rapidly respond to it, for example, by isolating the endpoint or wiping and re-imaging it.
EDR is an important complementary solution to traditional endpoint protection and antivirus. While these solutions are important to prevent threats, when an attacker does manage to overcome these defenses, EDR can help detect and stop the attack.
Use Extra Protection for BYOD Devices
It is common to allow users to bring their own device (this is known as BYOD), and use them to connect to VDI services. While this can save hardware costs and make users happier, it also presents security challenges.
BYOD devices are typically not secured according to the organization’s security policies and operate on unsecured networks. Attackers can gain access to an endpoint, and use it to impersonate the user and access the organization's VDI. At a minimum, this grants access to the user’s desktop. A sophisticated attacker can perform lateral movement and privilege escalation to gain access to other parts of the VDI deployment.
To reduce the risk, take the following extra precautions for BYOD devices accessing VDI:
- Enforce strong passwords and multi-factor authentication
- Use single sign-on (SSO) software
- Deploy agents that can scan wireless networks and warn users before connecting
- Establish control over applications installed on the local device
- Ensure the personal device has up-to-date operating system and applications
Require Multi-Factor Authentication
Multi-factor authentication (MFA) provides additional security by requiring end users to prove their identity in a variety of ways, including entering a password, using a mobile device, or scanning a fingerprint. Most VDI solutions support MFA at the connection server, which accepts user requests and reroutes them to a virtual desktop. Always enable MFA to reduce the chance attackers can compromise credentials to gain access to VDI systems.
In this article, we covered the basic tenets of VDI security, and provided five best practices that can help you secure your VDI deployment:
- Restrict or disable services in master images and desktops, if they are not absolutely necessary
- Deploy state of the art security tooling in your VDI site, including IDS/IPS and endpoint security for VMs
- Don’t stop with the VDI data center—use endpoint protection to secure user devices as well
- Require extra protection for BYOD devices, including strong passwords, device scanning and application control
- Require multi factor authentication at the VDI connection server
I hope these insights and best practices will help you plan the right strategy for protecting your organization’s huge investment in virtual desktop infrastructure.
Image Source: Pixabay