This is a very randon and esoteric question and there is a wealth of info on the interweb but I am struggling to get an answer to my specific query so here goes:

We have a number of users in one division of our business that need to access systems using their own devices (mainly PC’s) we have secure desktop tunneling however accessing MS Terminal server is insecure and I am concerned that we have little control over the stability/security of users home devices and malware/viruses etc can infect the TS client/server.
I think Vmware view will resolve this however interested if anyone has experience of this?

Surely you only allow port 3389 connectivity to IP’s on the VPN lan to the TS server?

That way you know that providing that so long as you’re using SSL VPN to get to it, you’re sorted, and is pretty much what most people do.

However, if you want to tighten up the authentication to the RDS server you have three choices:

“You can enhance the security of RD Session Host sessions by using Secure Sockets Layer (SSL) Transport Layer Security (TLS 1.0) for server authentication and to encrypt RD Session Host communications. The RD Session Host server and the client computer must be correctly configured for TLS to provide enhanced security.

The three available security layers are:
– SSL (TLS 1.0) SSL (TLS 1.0) will be used for server authentication and for encrypting all data transferred between the server and the client.
– Negotiate The most secure layer that is supported by the client will be used. If supported, SSL (TLS 1.0) will be used. If the client does not support SSL (TLS 1.0), the RDP Security Layer will be used. This is the default setting.
– RDP Security Layer Communication between the server and the client will use native RDP encryption. If you select RDP Security Layer, you cannot use Network Level Authentication.”

Read here: http://technet.microsoft.com/en-us/magazine/ff458357.aspx

Personally, I’d be happy with two form factor SSL VPN access only for users whom need to get to the RDS servers.

ps might be worth telling us what infrastructure you’re using (i.e. W2k8, etc).

A mix but effectively Win 2k8 server but Cisco desktop VPN client accesing a Cisco ISA

Thanks for your detailed reply BTW 🙂

If you’re using Win XP clients to connect to a W2k8 server, update to the latest Remote Desktop client software on the client and then you can force a requirement to use Network Level Authentication on the Remote Desktop properties on the server. W7 has it installed by default.

Two form factor is your first port of call; once someones into your network, no amount of security helps. Start on the outside and move in.

Are you worried about network based attacks to the remote desktop server, or malware on the client PC affecting the server via RD?

Molgrips has a point. If you’re worried about either, then you could consider implementing a NAP server to ensure nothing gets onto the LAN until fully patched and updated.

I’m not worried about network attacks as the priphery is quite secure I am worried about allowiing users on there own PC’s to access (via a secure tunnel) a TS session and then malware/viruses etc bridging (if thats the correct term) between the host infected PC and the TS session and ultimately the host TS server.

Vmware View is VDI based do you have the infrastructure to implement VDI vs the lighterweight but as you say less secure session based Terminal Services/Citrix system.

Depends on what policies you implement as well, if you’re allowing file copies up to the TS server then yeah you need to be careful. What are you trying to present to the users? If it’s just an application then it’s easy to secure MS RDS/TS (or equally use Citrix XenApp etc.). If you need to give them a usable hosted desktop then that’s different and VMware View or Xen Desktop would be worth looking at – it’s not cheap to implement though (assuming they want decent performance and resilience!). How many users are you talking about?

Yes, infrastructure wont be a problem

We need to present a number of applications so a hosted desktop would be preferable.
Probably talking around 25 concurrent users.
Performance and resiliance would be a function of their own internet connectivity and the hosted infrastructure in our data centre which is Equalogic based so shouldnt be a bottleneck.

TBH with 2+K concurrent Zendesktop licenses and 30K students and staff usign the system for 8 years we’ve never had a single instance of malware travelling over and RDS connection. Yes allowing file copies is an issue from client devices, but we don’t allow that and also disable redirection of client devices.

Leaving aside cost, performace, resiliance etc my question in (my) simple terms is if we present a desktop to a remote user via a secure tunnel and their PC is full of viruses will Vmware view competely segregate their infected PC from our network?

The Big Benefit for VDI is it’s virtual so if a VM image gets compromised you trash it and launch a new clean one from the pool.

The Big Benefit for VDI is it’s virtual so if a VM image gets compromised you trash it and launch a new clean one from the pool.

Damaging a VM image is not my concern but infecting the host infrastructure would be.

As soon as you present the user to anything internally via your tunnel, you need to manage the client for compromised issues.

Your remote servers are the least of your worries in that case.

I’m presuming you’re segregating the subnet for VPN users away from the internal LANs/subnets?

NAP is your friend in this instance, it is specifically built for this purpose, forcing a user to wait and be checked against policy before allowing access to resources.

Without pointing out the bleeding obvious, but why are these users not being given their own managed laptops to connect in? Would save all this faffing.

you need to manage the client for compromised issues.

Thats really my issue. We have hundreds of users who access our systems remotely via devices provided by the UK IT team and are patched, secured and locked down etc. However this group insist that providing a hundred users with laptops would be an unnecessary expense. (it may be the only option but I want to explore this first)
This means we have no real control over the integrity of the remote device. This means I have to assume it is infected etc.
I have no real concern over the integrity of the user at the keyboard.

In this case, I would seriously consider building your business case around two angles:

1. More tin to manage the infrastructure required to cover the unmanaged clients, via NAP, or a more specific IDS or TDS box/system which sits behind the VPN and in front of the internal network in order to manage ALL traffic going in and out (commonly know as defence in depth) OR
2. Buy laptops, and manage the rollout with GPO and WDS to make your life easier.

That said, looks like they’re not being really very sympathetic to the real requirements here – it’s a hornets nest.

I’m presuming you have no requirements for IL3 and upwards or encryption, because if you do, your life has just become hell.

The RDS authentication is the last thing you’re needing to worry about at the moment. If the user jumps through all the hoops to GET to the RDS server, you’ll be fairly confident it’ll be safe.

Hey this is great, let’s all share our jobs on STW! Anyone want to help me analyse these business rules? Maybe I can write you some code in return?

I’d go the Citrix route personally, Citrix themselves now support a big internal BYOD deployment and have the pieces in place around client control and network isolation you’d need to do this securely.

Thanks a lot for your comments, some food for thought 😀

As others have said it’s a question of what ‘channels’ you allow between the client and the infrastructure that use the RDS/View (PCoIP) protocols. These are typically the graphical display itself, keyboard+mouse, something for clipboard support, drive mapping (to allow files to be copied to/from the infrastructure), printing and potentially some USB control. It’s things like drive mapping and USB that present the biggest security risk so with these disabled (you need to be sure you can enforce it on the server and/or have the granularity to enable it only where necessary) you’re reducing the risk to your infrastructure.

The other concerns are things like malware that record keystrokes and screenshots. On an infrected client these will be able to ‘steal’ some data regardless of the fact that the device is not directly on the infrastructure. As such you should be careful of what you allow users to do in the RDS/View infrastructure. One way to address this is the use of a remote access solution to front-end it all that has some form of client-checking for AV software, patches. This should give you ‘some’ assurance that the unowned device has some level of protection on it.