BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Is VDI More Secure Than Regular Desktops? I Think Not!

Posted December 29, 2011    Peter McCalister

I’ve made the argument in the past that VDI has a far greater potential for damage than normal desktops, in fact making them less secure in point of fact.

If effective security is defined as (security profile) x (risk profile) = (effective operational risk), then the same exact same security profile applied to a standard desktop and a VDI desktop leaves one term to be scrutinized: risk profile. To illustrate the issue, consider the “context” of a VDI desktop vs. a normal one. A normal desktop sits on the edge of your network, protected by things like network access control, layers of filtering and user access control, potential network intrusion detection, and even firewalls that protect the core of your network from the edge, or the entire outside network from your data center.

Now ask, how often are these controls effectively replicated for VDI? It’s nearly impossible to do so. VDI desktops effectively live inside your data center. Often right next to (or even in the same rack) as your virtual server cluster. Is there a hardware firewall or IDS/IPS box in between those two clusters? Not likely. So the risk profile of a VDI box is actually MUCH greater than the risk profile of a desktop box, because if security is compromised, the available attack surface is now exponentially greater. Even if you can’t escape the “jail” of the VDI cluster (say there is a firewall in place), you can now not only attack “horizontally” machines in the same virtual subnet, but you can also attack “vertically” down against the hypervisor. Compromising a hypervisor means instant and very difficult to detect access to every machine running on that physical box—effectively allowing you to own “swaths” of machines instead of one at a time. How long before someone with privileged access to critical data or server resources logs in on one of those VDI sessions? Now you’re really screwed, since breaking out of the VDI jail/cluster is much easier, and when you do you aren’t just “somewhere else in the network”, you’re smack in the middle of the crown jewels, inside the data center.

So, in short, even with identical security profiles applied to external or VDI boxes, the effective operational risk of VDI is much higher. Basically, VDI is less secure, inherently, by virtue of context, than that same non-VDI user desktop. So perhaps we can change the conversation in the future to how we can make VDI desktops at least as secure as their traditional brethren, including at a minimum some sort of privilege management solution.

Leave a Reply

Additional articles

How To Implement The Australian Signals Directorate’s Top 4 Strategies

Posted October 20, 2014    Morey Haber

The Australian Signals Directorate (ASD), also known as the Defence Signals Directorate, has developed a list of strategies to mitigate targeted cyber intrusions. The recommended strategies were developed through ASD’s extensive experience in operational cyber security, including responding to serious security intrusions and performing vulnerability assessments and penetration testing for Australian government agencies. These recommendations…

Tags:
, , , ,
asp-mvc

Exploiting MS14-059 because sometimes XSS is fun, sometimes…

Posted October 17, 2014    BeyondTrust Research Team

This October, Microsoft has provided a security update for System.Web.Mvc.dll which addresses a ‘Security Feature Bypass’. The vulnerability itself is in ASP.NET MVC technology and given its wide adoption we thought we would take a closer look. Referring to the bulletin we can glean a few useful pieces of information: “A cross-site scripting (XSS) vulnerability exists…

Tags:
4bestpracticesaudits-blog

Four Best Practices for Passing Privileged Account Audits

Posted October 16, 2014    Chris Burd

Like most IT organizations, your team may periodically face the “dreaded” task of being audited. Your process for delegating privileged access to desktops, servers, and infrastructure devices is a massive target for the auditor’s microscope. An audit’s findings can have significant implications on technology and business strategy, so it’s critical to make sure you’re prepared…

Tags:
, , , ,