10 Best Practices for Desktop Virtualization
Windows Virtual Desktop is a managed virtual desktop service that includes many security capabilities for keeping your organization safe. Below we describe the ten best practices for desktop virtualization that admins can implement to keep its users secure.
1. Keep machines updated
Keep all machines in your environment up to date with security patches. One advantage is that you can use thin clients as terminals, which simplifies this task.
2. Protect all machines in your environment with antivirus software
Consider using platform-specific anti-malware software such as the Microsoft Enhanced Mitigation Experience Toolkit (EMET) for Windows machines. Some authorities recommend using the latest Microsoft-supported version of EMET within their regulated environments. Note that, according to Microsoft, EMET may not be compatible with some software, so it should be thoroughly tested with your applications before deployment in a production environment. XenApp and XenDesktop have been tested with EMET 5.5 in its default configuration. Currently, EMET is not recommended for use on a machine that has a Virtual Delivery Agent (VDA) installed.
3. Protect Machines with Firewalls
Protect all machines in your environment with perimeter firewalls, including at enclave boundaries as appropriate.
If you are migrating a conventional environment to this release, you may need to reposition an existing perimeter firewall or add new perimeter firewalls. For example, suppose there is a perimeter firewall between a conventional client and database server in the data center. When this release is used, that perimeter firewall must be placed so that the virtual desktop and user device are on one side, and the database servers and Delivery Controllers in the data center are on the other side. Therefore, consider creating an enclave within your data center to contain the database servers and Controllers. Also consider having protection between the user device and the virtual desktop.
All machines in your environment should be protected by a personal firewall. When you install core components and VDAs, you can choose to have the ports required for component and feature communication opened automatically if the Windows Firewall Service is detected (even if the firewall is not enabled). You can also choose to configure those firewall ports manually. If you use a different firewall, you must configure the firewall manually.
4. Manage user privileges
Grant users only the capabilities they require. Microsoft Windows privileges continue to be applied to desktops in the usual way: configure privileges through User Rights Assignment and group memberships through Group Policy. One advantage of this release is that it is possible to grant a user administrative rights to a desktop without also granting physical control over the computer on which the desktop is stored.
5. Get your apps in order
Don’t assume you can treat all your applications the same way and virtualize them using the same model. You’ll need to understand where each app writes its data, whether its compliant with terminal services or RDS, and whether your homegrown apps can run in a shared environment. Understanding your apps is a critical first step—don’t skip it!
6. Know your users
One of the biggest reasons desktop virtualization initiatives fail is that they’re disconnected from what the business really does and what it needs to improve. To make sure users are getting what they really need, spend some time with a few managers and power users in each department and have them walk you through their environment. What apps are they using? How are their desktops configured? How are their drives mapped? As you move ahead, return to the same users to demo the new environment for them. They can become key advocates.
7. Segment your user base
Identify the use cases you’ll need to support to make sure you’re meeting their needs effectively. The key is not to over-segment. You can usually find commonalities across use cases and departments that let you consolidate down to just a few groups that share key dimensions. Once you know the lay of the land, you can start with the low-hanging fruit—the easiest cases—to deliver a quick win and generate buzz.
8. Determine the level of customization needed for application delivery.
Once you’ve decided on the degree of customization, review the application infrastructure. Identify the skills needed to maintain and manage the new desktop virtualization environment. Don’t skimp on training or recertification. You’ll also want to establish that any new solution won’t require you to rip out and replace the entire existing infrastructure.
9. Calculate the investment cost and ramp-up time
Once you’ve collected the requirements, you’re ready to look at desktop virtualization solutions. Establish a realistic estimate of the capital expenditure acquisition costs and calculate costs for each phase of the desktop virtualization project. Construct a timetable for the development, testing and final rollout of the virtual desktop infrastructure. Estimate the annual maintenance support costs, so this can be incorporated into the IT department’s annual operational budget. Companies must map out a three- to five-year business plan that includes a realistic budget for IT salaries, training and migrations to the appropriate desktop virtualization solutions, as well as support and maintenance agreements. Do not rush the project. Careful fiscal planning will lead to faster ROI.
10. Ensure integration and interoperability with the legacy environment.
New technology deployments are frequently disruptive. Carefully review all aspects of your legacy desktop applications and tools, with an eye toward a smooth transition. Some incompatibilities are unavoidable. This is particularly true if your firm’s desktop hardware and applications are outmoded. Your IT department should work closely with vendors to find workarounds and construct a plan to ensure backward compatibility.
Want to Know More?
Want to know one of the best ways to protect your VDI?
Download a 30 day trial of RecordTS and begin recording and protecting your servers today.