One advantage (and limitation) of CIT's Virtual Desktop service is that they limit what applications you can run, limiting you to the only the applications they host. (You can package apps for them to host.) |
Topic | VDI service | Today's staff desktops | Desktops with white-listing |
---|---|---|---|
Application white listing. | 100% white listing. If CIT hasn't allowed it, it won't run.
| If Admin access required for an install, most end-users can't install new software. However, if software can just be used without installation, user can run it. For example, Putty.exe will work. | Can run in audit-only mode to first learn of potential impact. See below idea for more. |
Ensuring work files are backed up. | Integrated into the service. VDI has robust end-user file storage. | Varies. Users might have work data only on their desktop. And that data might not be backed up. Users could be disciplined about only having work data on file shares, cloud storage, and the like. Users who must have unique locally stored data could work to ensure those files get automatically backed up. IT could start using Folder Redirect for Windows systems. | Same as with "Today's staff desktops". |
Ensuring work files are accessible by others if person is out. | Same as with "Today's staff desktops". | See answer in "Ensuring work files are backed up." for this column. If files should be able to their supervisor and others, user must be deliberate about making them accessible when using a files share, cloud storage, and the like. | Same as with "Today's staff desktops". |
Staff desktop environment is accessible anywhere, even if their office computer hardware is no longer working or accessible (fire, flood, theft, snow emergency, etc.) | No problem. No matter what happens to a user's workspace, their desktop is hosted by CIT and available via any browser or thin-client capable networked computer anywhere, anytime. | Problem! But how likely is this scenario worth protecting against? Answer might depend if files are on a file share, sync'd to a cloud service, or otherwise not isolated to the desktop computer. If files backed up, less convenient. | Same as with "Today's staff desktops". |
This will not reduce support calls for the computers we would be able to add white listing to because such calls are basically down to zero now.
This will not provide some of the other advantages of moving to VDI.
Phases can help us think about advantages of this approach:
Great Admin interface letting one see unauthorized apps, by user/ machine.
Run through a "clean", newly imaged system with representative applications to build whitelist.
Easy to add new application to whitelist. Easy to approve updates to already whitelisted apps.
Have approved application apply to applilcation's files, etc.
Approval based not just on name. Maybe a hash, publisher, etc.
Record all non-whitelisted apps.
User launches app:
User launches app:
In many ways, CIT's VDI service allows less control than having Faronics's DeepFreeze on a computer. And DeepFreeze can prevent necessary updates. But what about Faronics’s Anti-Executable Enterprise, if Microsoft’s solutions (AppLocker, Device Guard) don’t meet our needs?
Wyman at ITSO wrote, 2/18/16:
Faronics’s Anti-Executable Enterprise:
Lock down Windows 10 to specific apps:
Microsoft AppLocker overview:
Microsoft Device Guard overview:
Top 10 Common Misconceptions About Application Whitelisting (FEBRUARY 19, 2014)