10 Best Practices for Desktop Virtualization<\/b><\/p>\n
<\/p>\n
Windows Virtual Desktop is a managed virtual desktop service that includes many security capabilities for keeping your organization safe. Below we describe the ten best practices for desktop virtualization that admins can implement to keep its users secure.<\/p>\n
1. Keep machines updated<\/b><\/p>\n
Keep all machines in your environment up to date with security patches. One advantage is that you can use thin clients as terminals, which simplifies this task.<\/p>\n
2. Protect all machines in your environment with antivirus software<\/b><\/p>\n
Consider using platform-specific anti-malware software such as the Microsoft Enhanced Mitigation Experience Toolkit (EMET) for Windows machines. Some authorities recommend using the latest Microsoft-supported version of EMET within their regulated environments. Note that, according to Microsoft, EMET may not be compatible with some software, so it should be thoroughly tested with your applications before deployment in a production environment. XenApp and XenDesktop have been tested with EMET 5.5 in its default configuration. Currently, EMET is not recommended for use on a machine that has a Virtual Delivery Agent (VDA) installed.<\/span><\/p>\n 3. Protect Machines with Firewalls<\/b><\/span><\/p>\n Protect all machines in your environment with perimeter firewalls, including at enclave boundaries as appropriate.<\/span><\/p>\n If you are migrating a conventional environment to this release, you may need to reposition an existing perimeter firewall or add new perimeter firewalls. For example, suppose there is a perimeter firewall between a conventional client and database server in the data center. When this release is used, that perimeter firewall must be placed so that the virtual desktop and user device are on one side, and the database servers and Delivery Controllers in the data center are on the other side. Therefore, consider creating an enclave within your data center to contain the database servers and Controllers. Also consider having protection between the user device and the virtual desktop.<\/span> 4. Manage user privileges<\/b> Grant users only the capabilities they require. Microsoft Windows privileges continue to be applied to desktops in the usual way: configure privileges through User Rights Assignment and group memberships through Group Policy. One advantage of this release is that it is possible to grant a user administrative rights to a desktop without also granting physical control over the computer on which the desktop is stored.<\/span><\/p>\n 5. Get your apps in order<\/b> 6. Know your users<\/b> 7. Segment your user base<\/b> 8. Determine the level of customization needed for application delivery. <\/b><\/p>\n Once you’ve decided on the degree of customization, review the application infrastructure. Identify the skills needed to maintain and manage the new desktop virtualization environment. Don’t skimp on training or recertification. You’ll also want to establish that any new solution won’t require you to rip out and replace the entire existing infrastructure.<\/span><\/p>\n 9. Calculate the investment cost and ramp-up time<\/b><\/p>\n Once you’ve collected the requirements, you’re ready to look at desktop virtualization solutions. Establish a realistic estimate of the capital expenditure acquisition costs and calculate costs for each phase of the desktop virtualization project. Construct a timetable for the development, testing and final rollout of the virtual desktop infrastructure. Estimate the annual maintenance support costs, so this can be incorporated into the IT department’s annual operational budget. Companies must map out a three- to five-year business plan that includes a realistic budget for IT salaries, training and migrations to the appropriate desktop virtualization solutions, as well as support and maintenance agreements. Do not rush the project. Careful fiscal planning will lead to faster ROI.<\/span><\/p>\n
\n<\/span>
\n<\/span>All machines in your environment should be protected by a personal firewall. When you install core components and VDAs, you can choose to have the ports required for component and feature communication opened automatically if the Windows Firewall Service is detected (even if the firewall is not enabled). You can also choose to configure those firewall ports manually. If you use a different firewall, you must configure the firewall manually.<\/span><\/p>\n
\n<\/span><\/p>\n
\n<\/span>
\n<\/span>Don\u2019t assume you can treat all your applications the same way and virtualize them using the same model. You\u2019ll need to understand where each app writes its data, whether its compliant with terminal services or RDS, and whether your homegrown apps can run in a shared environment. Understanding your apps is a critical first step\u2014don\u2019t skip it!<\/span><\/p>\n
\n<\/span>
\n<\/span>One of the biggest reasons desktop virtualization initiatives fail is that they\u2019re disconnected from what the business really does and what it needs to improve. To make sure users are getting what they really need, spend some time with a few managers and power users in each department and have them walk you through their environment. What apps are they using? How are their desktops configured? How are their drives mapped? As you move ahead, return to the same users to demo the new environment for them. They can become key advocates.<\/span><\/p>\n
\n<\/span>
\n<\/span>Identify the use cases you\u2019ll need to support to make sure you\u2019re meeting their needs effectively. The key is not to over-segment. You can usually find commonalities across use cases and departments that let you consolidate down to just a few groups that share key dimensions. Once you know the lay of the land, you can start with the low-hanging fruit\u2014the easiest cases\u2014to deliver a quick win and generate buzz.<\/span><\/p>\n