1. Do Not Use Persistent Virtual Desktops
Always use non-persistent virtual desktops. They are more secure because they are refreshed from their original image. Persistent virtual desktops behave like physical desktop PCs and are more susceptible to malware, virus infections, and corruption. OK, now I will admit they may be more difficult to implement and with more requirements, more difficult to manage, but they are the safer bet in the long run.
Even though more time is required for managing a non-persistent refresh-ready virtual desktop environment, this investment is well worth the effort. As a case in point, a school I was working with recently made the smart decisions to virtualize about half of their nearly 1,000 desktops. When a virus attack was detected, they simply advised their users to log off. That action alone was all that was required to completely destroy the virus from all user-accessible VDI desktops, and in only about five minutes. The entire network was spared with only a few servers needing some attention. Any non-virtualized PCs or non-persistent desktops would require considerable time for remediation. So the moral of the story is to virtualize the vast majority of your computing resources. For example, imagine the security you would enjoy if fully 90% of your desktops were virtual and only 10% of resources (typically servers) remained as physical hardware devices.
2. Maintain Agentless Anti-Virus
Most PCs are running a standard anti-virus package. Don’t scale back on dedicated anti-virus. But if you want to optimize performance, you’ll need an agentless anti-virus solution. In tests, typical anti-virus software decreased storage IOPS performance by as much as 30%.
Consider an agentless option on VMware where a light agent is built into VMware on every virtual machine. NSX or Vshield also provides a structure to use agentless AV and you can put an agentless product like TrendMicro Deep Security or McAfee MOVE on your infrastructure servers. You’ll achieve full-agentless AV scanning on virtual desktops. When a user logs on, they get a fresh virtual machine with no virus. While using the desktop, real-time scans prevent a virus. And when the user logs off, the desktop is refreshed from a clean image. Again, no viruses.
Some customers (it might be a school, municipality, or small business looking to save money) might skip agentless anti-virus, or even skip out on licensing a standard anti-virus package on virtualized machines entirely. This is a poor decision. In these environments, the virus will be introduced, continue to exist, and spread. Even if all users log off, while reducing infection risk dramatically, the potential threat continues to exist. You must maintain real-time anti-virus protection. Agentless options are preferred to eliminate the 30% performance hit.
For the rest of the tips please read my work blog: