«

»

Hardening VDI (VMView) Deployments

I have been meaning to write an article about VDI hardening for a little while. Couple weeks ago listened the recording to an awesome VMworld session entitled “VMware View Security Architecture and Best Practices” hosted by Rob Randell and Mark Benson, both from VMware. This session has finally put me back on track to write this article.

Most administrators will spend time architecting security for Windows GuestOS and authentication methods such as RSA, and will end up forgetting other important components that also need close attention in VMware View architecture. The most common components in a View architecture are listed below; however some organisations will also have Load Balancers, Identity Management, Self-Service Password Systems, Gina chaining components, VPN amongst others components and devices.

  1. View Client (Windows Workstation) / Thin Client
  2. VMware View Security Servers
  3. VMware View Connection Servers
  4. VMware vCenter Server & ESX Servers
  5. Windows Guest OS

image

Component 1 – View Client / Thin Client

This topic really needs to be segmented into Soft Clients and Thin Clients. The reason for that is View Soft Client will always run on top of your existing operating system, either Window, MAC or Linux, therefore is vulnerable to the attack surface of the base operating system. The rule applies also to embedded operating systems.

End computing devices such as Thin Clients, Zero Clients, mobiles and tablets are less vulnerable by nature because of the reduced attack surface and lockdown environment; however it is recommended to keep the devices always up-to-date with latest firmware’s and security fixes.

  • If you are running devices with the TERA chip from Teradici please read this article about Teradici’s Management Console.
  • Enable and enforce endpoint 128-bit AES encryption.

View Soft Clients will always be more vulnerable and need more attention. The recommendations for devices running soft clients may include the following, but are not limited.

  • Standard Windows Hardening
  • Password Policy
  • Patching
  • Antivirus
  • Verify firewall requirements
  • Utilise and endpoint intrusion prevention system such as Cisco Security Agent
  • Utilise Active Directory, RSA SecurID or Smartcard authentication
  • Deploy VMware View ADM templates to disable Single-SignOn
  • Deploy VMware View ADM templates to enable the list of Brokers Trusted for Delegation
  • Deploy VMware View ADM templates to disable 3rd-party Terminal Services plugins

Components 2 and 3 – Connection Servers and Security Servers

In a VMware View architecture both are services run on Windows Server platforms therefore are subject to the OS attack surface. The same hardening techniques utilised for your common Windows Server infrastructure should be used here and they may include the follow, but are not limited.

  • Standard Windows Hardening
  • Password Policy
  • Patching
  • Antivirus
  • Verify firewall requirements
  • Disable unneeded ciphers
  • Disable unneeded services and network protocols (only IPv4 needed)

It is very common to see administrators disabling services in the GuestOS to optimise the end0user experience but often forgotten is that disabling services you are also reducing the attack surface.

  • Replace default self-signed certificates with those from a trusted certification authority, either a commercial CA or an organizational CA.
  • Make sure all communications between View Clients and Security Servers or Connection Servers uses HTTP over SSL3/TLS1.

Security Servers are a critical piece in your DMZ and expose Windows attack surface to the external world. Make sure all hardening guidelines are strictly followed and that the virtual or physical Windows is not member of the domain. All items listed above will apply to the Security Servers and additionally, if possible, utilise a different vSphere infrastructure to support your DMZ. The reason for that is that despite the creation of multiple vSwitches in a single host the virtual switching happens in a single process. Make sure you security advisory board is comfortable with the solution. Some more info on the subject you will find on The vSwitch ILLUSION and DMZ virtualization from Brad HedLund.

Additional global security settings related to the overall VDI solution that you may need to consider will include:

  • Authentication method
  • Security Server or VPN for remote access
  • Firewall requirements
  • Setup administrative RBACs
  • Limit Root Administrator role to small number of individuals
  • Work with more restrictive built-in roles whenever possible
  • Use custom roles for specific needs
    For large deployments, organise resources (pools) into folders and delegate administrative roles to the folders (by geo location, business unit, function, compliance)
  • User entitlements
  • Desktop zoning and User Data zoning (I’ll cover this one in a dedicated article)
  • Multi Tenancy

Components 4 – vCenter Server & ESX Servers

Because vCenter Server runs on a Windows host, it is especially critical to protect this host against vulnerabilities and attacks. The standard set of recommendations applies, as it would for any host: install antivirus agents, spyware filters, intrusion detection systems, and any other security measures. Make sure to keep all security measures up-to-date, including application of patches.

  • Standard Windows Hardening
  • Password Policy
  • Patching
  • Antivirus
  • Verify firewall requirements
  • Limit vCenter Server to very privileged Admins, and then only for the purpose of administer vCenter Server or the host OS.
  • Install vCenter Server using a Service Account instead of a built-in Windows account
  • Restrict usage of vSphere Administrator Privilege
  • Block access to ports not being used by vCenter
  • Replace default self-signed certificates with those from a trusted certification authority, either a commercial CA or an organizational CA.
  • Monitor and restrict access to SSL certificates. The directory that contains the SSL certificates only needs to be access by the Service Account user on a regular basis. Occasionally, the vCenter Server system administrator might need to access them for support purposes.
  • Disable unneeded services and network protocols

There are a number of hardening recommendations for vCenter Server and also for ESX Servers that are covered on the vSphere 4.0 Security Hardening Guide published by VMware in April 2010. I strongly recommend you to go through this document and see if your VDI/vSphere environment is compliant with your organisations guidelines.

Optionally and additionally you can run the vmwarevSphereSecurityHardeningReportCheck script created by William Lam.

Components 5 – Windows Guest OS

Before I go ahead I would like to point out that hardening Windows Parent VM or SOE is almost limitless and it should be catered for your organisation’s needs and policy guidelines. You can go from patching and removing MSN Messenger to actually not installing whole Windows frameworks and components if you utilise Microsoft Deployment Toolkit (MDT) as part of the initial deployment. Actually, I would recommend you to have a look at Microsoft Deployment Toolkit (MDT)as it allows you to create a very granular deployment of your base Windows XP or 7.

Additionally, I recommend you to look at my Mastering VDI Templates updated for Windows7 and PCoIP spreadsheet and utilise it as base for your SOE hardening. There are a large number of registry tweaks and Group Policy options to be applied.

Lastly, check out VMware View Optimization Guide for Windows 7. The PDF also includes a batch file that will help you to customise your Windows 7 SOEs. The batch file will change few registry settings and disable basic services; however these changes are targeting performance, not security. You should review your requirements and change the list of actions accordingly.

You will need to decide amongst a large number of features what shall or shall not be available to your users. After you create your matrix of features that should be available to the users you can utilise the instructions from my article VMware View 4.5 Command Line Usage to only deploy the feature set required. As a guideline these are the items you should look for when hardening our SOE/Parent VM:

  • Base OS Hardening
  • Refresh Intervals (Recompose/Refresh)
  • Antivirus
  • Patch Base OS
  • View Agent
    • USB devices and Redirection
    • Drive redirection
    • Clipboard redirection
    • Printer redirection
    • GINA chaining
    • Offline/ Local Mode
    • Single Sign-On
    • Display protocols available
    • Smartcards
    • Refer to VMware View 4.5 Command Line Usage

  • Some settings are managed by View Agent and others are managed by AD GPO. Utilise the Mastering VDI Templates updated for Windows7 to know what you can managed in each level.
  • Guest/Host cut and paste and USB Access are controlled by the View Manager. Read up on my article Disabling Copy & Paste in PCoIP.
  • Define your patch management strategy – perhaps you will apply patches to the Parent VM and recompose all virtual desktops once a month or every week, but what will you do in regards to critical updates. Your patch management strategy may or may not include a combination of Recompose and Standard Patch Management tools such as WSUS, SCCM and Altiris.

The key point that I would like to make here is that you do not need to go nuts and start hardening your whole VDI environment. Follow you organisation’s best practices and policy guidelines if you have one. If you don’t, normally common sense wins.

2 comments

1 ping

  1. Express

    I’d like to set this up at my site with VPN and RSA… any recomendations??

  2. Andre Leibovici

    @Express
    There are diferent options for diferent scenarios. However, my prefered one is to use a UDP based VPN that execute the two-factor authentication against your RSA servers. Using this method there is no need to integrate RSA with VMware View, and no need to deploy Security Servers. This works for organisations that allow VDI access if the user has sucessfully authenticated to the trhought the VPN.

    Some organisations will add yet another layer of secutiry for InConfidence data.

  1. - Cliff Davies

    […] of the datacenter, more specifically at Connection Servers and Security Servers. Follow my article Hardening VDI (VMView) Deployments and the VMware View Security Hardening Practices. […]

Leave a Reply