Implementing desktop virtualization can increase control, reduce exposure and avoid unnecessary risks to the enterprise desktop computing environment. vDesk is designed to secure corporate data and provides many isolation, encryption, access control, operating system checks and host security scanning policy options.

Isolation

The vDesk virtual environment, by itself, provides a significant level of isolation between the host and the guest desktop computing environments. When an application running inside the vDesk environment tries to access the host operating system resources (file system, registry, kernel objects), the application is virtualized and restricted to the virtual resources and therefore does not directly interact with the host operating system.

vDesk enables administrators to set several isolation policies. These policies can be applied by workspace instance, master, user or group to allow for different levels of isolation for different types of workers, individual users or workspaces. When considering which policy options to enable/disable, you should weigh the flexibility required by each use case against the confidentiality of the data in the workspace and the level of trust placed on the host PC. For most users, the security best practice is to make the vDesk workspace the primary desktop computing environment and then maximize the isolation between the vDesk workspace and the host PC. Depending on the level of restriction the system administrator wants to enforce, some or all of these options can be enabled:

• Prevent Switching to Host PC
• Isolate Clipboard
• Clear Clipboard on Switch to Host
• Clear Clipboard on Switch to vDesk
• Block vDesk from Using Host Printers
• Disable vDesk Printers
• Disable Print Screen
• Disable Access to Optical Drives
• Disable Access to Fixed and Removable Devices
• Disable Access to Network Devices
• Disable Access to vDesk File System from Host

Host Security Scan

Prior to launching vDesk, it is recommended that you verify the security of the host PC by running a Host Security Scan. The Host Security Scan checks that the computer is protected with the required endpoint security software and that the software is up-to-date prior to launching the vDesk workspace. There are several host security scan policy enforcement options available in vDesk. Depending on the level of security the system administrator wants to enforce, some or all of these options can be enabled:

• Check for Host Antivirus Software
• Validate Last Antivirus Scan (Days)
• Validate Antivirus Definition Update (Days)
• Check for Host Antispyware Software
• Validate Last Antispyware Scan (Days)
• Validate Antispyware Definition Update (Days)
• Check for Host Firewall
• Allow Login even if Host Check Fails
• Custom Remediation message

Operating System Check

Prior to launching vDesk, it is recommended that you check that the operating system meets a minimum patch level required by your organization to ensure that it is not vulnerable to compromise. vDesk enables administrators to enforce a minimum service pack level requirement for supported Operating Systems including Windows XP, Windows Vista and Windows 7*.

*Windows 7 available in vDesk 3.0 and later

Encryption

When you use vDesk workspaces on a laptop or removable drive, RingCube recommends encrypting the workspace to ensure confidential data is not exposed if the device is lost. If you are in the financial services, retail, government, or healthcare industries, you may be required to encrypt your workspaces just as you would be required to encrypt the file system or hard drive of a physical PC. vDesk provides integrated encryption when deploying workspaces to a portable drive or on to a PC.

For more information on vDesk Workspace Encryption, please see the Workspace Encryption GuruTip

Workspace Access Control and Protection

In addition to the isolation policy options described above, there are additional virtual desktop policy controls regarding updates, personalization, and application installation features under the 'General' tab in the 'Create Policy' section. These policies enable administrators to further lock down the vDesk workspace environmnent:

• Prohibit Change to Automatic Update Settings
• Disable Data Import/Export
• Prohibit Application Installation
• Administrator vs. Limited Privileges

Network Security

These options determine whether vDesk shares the network stack and the network adapters from the host PC, or uses a virtual adapter.

Enable vDeskNet
When this option is selected, the network stack of vDesk is virtualized and a virtual network adapter, with a separate MAC address and an IP address, bridged to one of the host.s physical network adapters, is available inside vDesk. This option enables network traffic isolation between the host applications and vDesk applications. It also enables several VPN clients to be used in vDesk isolated from the host.

Join Domain
With the 'Enable vDeskNet' option selected, and a domain specified in this field, vDesk workspaces will automatically join to this domain. The host PC doesn't have to be joined to a domain. GPOs are automatically applied as well.

Remote Access Security

Connecting an unmanaged host PC to the corporate network over a VPN can result in malware propagation over the VPN from an infected host PC. When providing remote access, it is recommended that you verify that the user is running the VPN client from within vDesk workspace and not directly on the host PC. This can be accomplished by using the pre-authentication host checking (aka Network Access Control) functionality of the VPN product to verify that the vDesk process, registry keys and/or a hidden binary file inside the vDesk workspace.

In addition, it is recommended that organizations use some type of strong authentication such as RSA SecurID token and/or client-side certificates which can be securely stored and encrypted inside the vDesk virtual workspace.

For VPN client distribution, it is recommended that organizations use the vDesk image update feature so that VPN clients are only installed in vDesk workspaces and not on unmanaged host PCs.

vDesk Studio: Master Image Windows Security Settings

In addition to the policy options described above, vDesk administrators can modify specific Windows Security Settings to remove or disable areas of functionality that limit the end users ability to circumvent the security protection and enforcement policies of the virtual desktop. Below is a list of commonly used Windows Security Settings that can be modified within a Master Workspace image during a vDesk Studio session:

Windows Security Settings modified within vDesk Master Workspace

• Disable Registry Access:
  http://technet.microsoft.com/en-us/library/cc37902.aspx
• Disable Task Manager:
  http://www.microsoft/technet/prodtechnol/windows2000serv/reskit/regentry/93504.mspx?mfr=true
• Disable Run Command:
  http://www.microsoft/technet/prodtechnol/windows2000serv/reskit/regentry/58876.mspx?mfr=true
• No Drive view in My Computer:
  http://www.microsoft/technet/prodtechnol/windows2000serv/reskit/regentry/93573.mspx?mfr=true
• Disable Command prompt but enable scripts (batchfiles):
  http://www.microsoft/technet/prodtechnol/windows2000serv/reskit/regentry/93465.mspx?mfr=true
• Disable Start Menu Right Click Context Menu:
  http://www.microsoft/technet/prodtechnol/windows2000serv/reskit/regentry/58882.mspx?mfr=true
• Disable Connection Settings in IE:
  http://www.microsoft/technet/prodtechnol/windows2000serv/reskit/gp/717.mspx?mfr=true
• Disable Entire Network:
  http://technet.microsoft.com/en-us/library/cc781725.aspx
• Disable My Network Places:
  http://www.microsoft/technet/prodtechnol/windows2000serv/reskit/regentry/58875.mspx?mfr=true
• Disable Right click context Menu:
  http://www.microsoft/technet/prodtechnol/windows2000serv/reskit/regentry/93970.mspx?mfr=true
• Disable Find:
  http://www.microsoft/technet/prodtechnol/windows2000serv/reskit/regentry/58873.mspx?mfr=true
• Prevent Running Windows Messenger:
  http://technet.microsoft.com/en-us/library/cc776399.aspx

Why should you use vDesk SSI?

When you think of using Desktop Virtualization, you usually think of running a virtual desktop on top of an existing physical Windows PC environment. Normally, you start the physical PC, login to the OS installed on the physical PC and then repeat the login process again for the virtual desktop. If users don't have multiple virtual desktops, why make them login twice with the same credentials?

With vDesk Single Sign-in (SSI), IT administrators can streamline the login process for users with a single vDesk virtual workspace. The process of implementing SSI is as simple as writing a login script that invokes the vDesk Client and calls a command line option start the default workspace of the authenticated user.

Once SSI is implemented, users are automatically logged into their default vDesk workspace based on the credentials used to login to their PC.

At a high-level, there steps required to implement SSI:

1. Install the vDesk Client
2. Create the Login Script (*optional)
3. Edit the Registry

1. The first thing you will want to do is install vDesk Client from the client portal

1. Login to the Windows operating system using an admin account on the PC
2. Go to your Client Portal "https://<ip address>:<port>/client"
3. Log in using valid credentials
4. Click "Launch vDesk Client"
5. After the client launches, you can close both your web browser and vDesk Client

2. Next, we will want to create a script that launches vDesk client when the computer starts. You can use notepad or any other text editor. You will want to do this if you also need to launch other applications before/after vDesk or if you want to shutdown the computer after logout.

1. Write the script (see example below)

@ECHO OFF REM Launch vDesk Client and wait for exit before proceeding start /wait /min /d "C:\Program Files\RingCube\vDeskClient" vDeskClient.exe /ssi REM Shutdown the computer when the user logs out of vDeesk shutdown -s -t 0

2. Save this file to a known location such as "C:\LaunchvDesk.bat"

3. Next, you will want to open your registry editor

1. Click Start
2. Select Run
3. Type "regedit" in the box and click "OK"
4. Now you will want to add vDesk Client to the run key for when your user logs in. You can do this on a per user basis or for all users. For the simplicity of this tip, we will just do it for all users.
5. Navigate to
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
6. You will want to create a new string value named "vDesk" and enter the path to your script as the data. (See Figure 1)
7. Alternatively, if you did not create a script, you can enter the following data into the registry key:
   "C:\Program Files\RingCube\vDeskClient\vDeskClient.exe" /ssi /hostlogout

Figure 1: Add the path of your script to the registry Run key.
8. Now you can exit regedit and restart your computer. The next time you login to the Windows OS, the vDesk workspace of that user will automatically launch

If you want to use vDesk MobileSync with SSI to backup the user's default vDesk virtual workspace to a network file share, you should select MobileSync option "On Exit" to automatically backup the user's workspace. (See Figure 2)

Figure 2: Configure Sync on Exit for the vDesk workspaces

Why should you encrypt vDesk workspaces?

When you use vDesk workspaces on a laptop or removable drive, RingCube recommends encrypting the workspace to ensure confidential data is not exposed if the device is lost. If you are in the financial services, retail, government, or healthcare industries, you may be required to encrypt your workspaces just as you would be required to encrypt the file system or hard drive of a physical PC.

Compliance initiatives that require encrypting data or the full disk:

PCI DSS(Retail,Financial): PCI DSS is a security standard that includes requirements for encryption of cardholder data.

GLBA(Financial): The Gramm-Leach-Bliley Act requires financial institutions to determine when encryption of customer information in transit or in storage is appropriate and if so, to implement it.

HIPPA(Healthcare): The Health Insurance Portability and Accountability Act includes security standards that require encryption and protect the confidentiality and integrity of individually identifiable health information.

HSPD-12(Government and Defence): Homeland Security Presidential Directive 12 requires encryption to prevent unauthorized users from obtaining secret, sensitive, or confidential data.

SB-1386(Retail, Financial): California law regulating the privacy of personal information, which includes encryption of customer information.

EU Data Protection: European Union directive which regulates the processing of personal data within the European Union including encryption of personal data at rest.

How Does vDesk integrated Encryption Work?

vDesk supports integrated encryption for vDesk on a Drive and vDesk on a PC. vDesk Integrated Encryption currently supports two open source encryption products:

• TrueCrypt (see www.TrueCrypt.com)
• FreeOTFE (see www.FreeOTFE.org)

Both open source products create encrypted containers on a PC or a drive that can be used for deploying a vDesk Workspace Instance where all of the files contained in the Workspace are encrypted. The administrator can choose to require that workspaces are encrypted or give the user the option to encrypt the workspace. The vDesk Administration Server automates the process of installing the encryption software, creating the encrypted container and activating new vDesk workspaces inside the encrypted container (See Image 1). Once activated, encrypted workspaces are shown in the vDesk client with an orange lock icon in the vDesk Client workspace list (See Image 2).


Image 1: Workspace Activation with a vDesk Integrated Encryption


Image 2: Encrypted Workspace (Orange Lock Indicates Encryption)

Configuration for vDesk Integrated Encryption is a multi-step process:

1. Select a supported encryption product to be used to create encrypted containers for vDesk Workspace Instance deployment. Note that only one encryption product is supported by the vDesk admin server at a time. Install the encryption product using the installation executable from the product web site.
2. Create an Encryption subdirectory in the vDesk Administration Server storage-root directory. In the Encryption subdirectory, create subdirectories that contain the encryption product installation, executable, configuration, and container files.
3. Create one or more encryption containers of sizes that will be appropriate for the Workspaces Instances that will be deployed.
4. Add encryption product files to the Encryption directory.
5. Update the vDesk Administration Server system properties to configure the admin server for a specific encryption product.
6. Update Master Workspace details to enable encryption.

For detailed steps on implementing encryption, please visit the “Configuring vDesk Integrated Encryption” chapter of the vDesk Administrator’s Guide.