SecureVDIChallenge

Below is the collection of VDI Security Tips, this will not be the end all list, but these are great starting points.  These settings are applicable for most VDI deployments, Citrix and VMware along with RDS and other solutions.  There are some solutions that have more controls than others, but this is mostly a collection of Window GPO settings that should be very universal.  For all VDI Policies I will show the settings for Citrix and VMware which are the market leaders in the VDI space.

Please test these settings because your mileage will vary.  If you do all these settings your Servers and Desktops will get very annoying very quickly when administering so the easiest way to do this is to “Deny” the “Your User Security Policy” for your Server, Citrix and Domain Admins.  There are some deployments where this may or may not be acceptable.  Some of these settings I have deployed like a Ninja and no one knew a change happened and I have had some certain policies make the user workflow unworkable and or catch the application on fire with errors.  Slow and steady with regular testing wins the race.  Our goal is to open your mind on security controls you may not be using so you can add them to secure your deployment over time and reduce your risk.

1. Make your “My User Security Policy”
2. Change the Security of the Policy to “Deny” for your Admin groups.

   1. 

Also don’t forget you may need some Loopback Processing to get these Computer and User Policies applied correctly depending on where your Users are and the Computers and then finally how your GPO’s are laid out.

One of the better Detailed and Simple Overviews of this.

https://blogs.technet.microsoft.com/askds/2013/02/08/circle-back-to-loopback/

Will be added daily for the next 50 days!

Top 60 VDI Security Tips:

1. GPO, Do you let your user Run “Run”? The #1 of the Application Jailbreak methods from almost any application. When I can type regedit, cmd, powershell, file:\\\c:\ that is when bad things start happening.
   1. Policy: GPO: User Configuration\Policies\Administrative Templates\Start Menu and Taskbar\Remove Run
   2. 
   3. GPO, Do your users really need access to the local drives on the server and or desktop? This can be prevented by “Hide the specified drives in My Computer” #Jailbreaking #TreasureHunting
      1. Policy: GPO: User Configuration/Administrative Templates/File Explorer/ Prevent Access to drives in My Computer
   4. 
   5. GPO, I like shopping in the stores like everyone else, but should your users be heading to the Windows Store to get some Sweet Apps? Lock it down so they don’t go wondering by disabling the Windows Store.
   6. The Windows Store does have some useful things but I user shouldn’t be deciding to install a game, PDF viewer, Printer Something or any other application. They shouldn’t need anything added to your image to work.
   7. 
   8. GPO, Did you know Help is one of the best Application Jail break methods? Limiting what can be launched from Help is your best defense. Help->About has lead me to a Browser, CMD, PS and PartyTime123.ps1
      1. Policy:GPO: User Configuration\Policies\Administrative Templates\System\Restrict these applications from being launch from Help
      2. 
      3. Common Exes to Block from Help.
      4. exe,cmd.exe,regedit.exe,mmc.exe,powershell.exe and whatever other browser or EXE something in your application tries to launch.
   9. GPO, Do your users need the ability to Map Network Drives within a session? Most are already mapped for the user so there isn’t a need for them to do it on their own. #DidYouSecureAllTheShares?
   10. Policy: GPO: User Configuration/Administrative Templates/File Explorer/Remove “Map Network Drive” and “Disconnect Network Drive”
   11. 
   12. GPO, Do you like your users viewing and or modifying your NTFS Permissions? I don’t think most admins would, a simple “Remove Security tab” can fix that.
       1. Policy: GPO:User Configuration/Administrative Templates/File Explorer/Remove Security tab
   13. 
   14. GPO, Do your users need to get to the Control Panel? In 99.9% of deployments that is a “NO” and that means “Prohibit access to the Control Panel” is your bestest friend. #HrmWhatCanIDoInHere?
       1. Policy: GPO: User Configuration/Administrative Templates/Control Panel / Prohibit access to the Control Panel
   15. 
   16. 
   17. GPO,Do you publish a desktop?If so then you should Enable “Prohibit Changes” to ensure they are not able do something that will create a support or security incident #CreateShortcutParty.
       1. Policy: GPO: User Configuration/Administrative Templates/Desktop/Desktop
   18. 
   19. 
   20. GPO, I’m pretty sure opening the Registry Editor as a user is bad mmmkayy, lets lock that thing down. Prevent access to registry editing tools with a simple policy.
   21. 
       1. GPO, Do you need your users to Run Server Manager or PowerShell or any AdminTools? There is a great GPO that will fix that up File System Restrictions feed it a path and it shall be blocked.  Groups are your friend with this setting because you may need to make exceptions.
          1. You can either remove these links in the Start Menu, I have a lot of clients that just delete some of these directories for the All Users Profile and or Customize the default user profile and a couple that just move all the things to Administrative Tools and remove the “Users” from having permissions.
          2. Policy:Computer Configuration\Policies\Windows Settings\Security Settings\ File System
             1. %AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Administrative Tools
             2. %AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\System Tools\Windows PowerShell.lnk
       • %AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Server Manager.lnk
       1. And any other paths you choose. Is nice because you don’t need to crack the image to make these changes.
       1. 
       2. 
       3. 
       4. Little too much for most. Most people don’t even want them to see this folder, so List Folder Contents is out also. If they see something they cannot click that can generate a helpdesk ticket, if they don’t see anything extra than they need it’s just magic.
       5. 
       6. Remove them or just uncheck everything.
       7. 
       8. Make sure you propagate down if you are doing a directory.
       9. The great thing is this isn’t set in stone and you may have to back something off and you can edit it after the fact and add a specific group back and or change the scope.
       10. GPO, Do you publish a desktop? If so then you should Enable “Hide network locations icon on desktop” to ensure they cannot get somewhere they shouldn’t that you haven’t secured yet.
           1. Policy: GPO: User Configuration/Administrative Templates/File Explorer/No Entire Network in Network Locations
           2. 
           3. Policy: GPO: User Configuration/Administrative Templates/Desktop/Hide Network Locations on Desktop
       11. GPO, Should your users be able to get to the command prompt? Survey Says, “No”. Most should not need access to it.  The amount of recon and execution possibilities are near limitless there. Test it!
           1. Policy: User Configuration/Administrative Templates/System/Prevent access to the command prompt
           2. 
           3. Phase 2, You may also be able to Disable the command prompt script processing based on how you are doing login scripts, how your launching the applications (Script to Launch an App) or just how the application works could prevent you from going this far. Take the one step and disable access and then you may be able to go to Phase 2.