Technical Support: 412-349-6678 | Incident Response

The Importance of Securing Desktop-as-a-Service for Remote Work

Desktop-as-a-Service

Like it or not, remote work is here to stay.

When offices and organizations around the world began making the shift during the pandemic, they weren’t alone.

You see, remote work wasn’t just an opportunity for businesses and employees, it was an opportunity for cybercriminals as well.

Desktop-as-a-Service, or DaaS, is a phenomenal tool for businesses like yours, but securing it properly is important. This classic technology has a wide variety of benefits, as well as weaknesses, and knowing how to navigate them properly can prevent a lot of problems.

Even if your company rejects a wide adoption of remote work, there are always sales reps and executives that need to travel to do business.

Because of this, you need to ensure that your remote workers and their data are protected with reasonable and cost-effective methods, without jeopardizing your IT systems.

Securing Desktop-as-a-Service in Legacy Technology

Traditionally, accessing your internal workstation resources meant using Remote Desktop Protocol (RDP) and Virtual Private Networks (VPN).

Unfortunately, as the volume of remote workers soared during the pandemic, so did the number of attacks on this remote infrastructure. 

As a result, their weaknesses were exposed.

A direct RDP connection requires an open port on your firewall, then making a direct connection between two computers.

However, this connection commonly suffers from several of the following vulnerabilities:

  • Weak passwords: Companies rarely manage RDP passwords. In addition, users often adopt the same weak password as their PC, or reuse the password.
  • Unrestricted Port Access: On-Path and other attacks can be conducted to steal credentials.
  • Unpatched internal resources: Researchers have found that 8% of the RDP connections exposed to the internet remain susceptible to the BlueKeep vulnerability patched in 2019.

Luckily, these are problems that you can overcome when securing Desktop-as-a-Service.

Companies can tighten security by requiring stronger passwords, implementing multi-factor authentication (MFA) or single-sign-on services, and creating a whitelist (AKA: “allowlist”) of IP addresses permitted to access the port.

However, whitelist IP addresses don’t easily permit an employee to use RDP if they travell to many different locations.

As an alternative to a whitelisted IP list, you can simply require a more secure connection. Traditionally, VPN’s have been used to provide this connection, but heavy use can put significant strain upon IT infrastructure. Additionally, many organizations still fail to regularly patch their VPN servers and devices.

Unfortunately, these long-used technologies suffer from more than just inherent weaknesses in their design.

Their long existence also increases the chance that user credentials have been stolen or leaked, which attackers frequently use to launch attacks.

As you can see, securing Desktop-as-a-Service is important, but can be challenging as well.

When patches don't work as intended - security patch
What to do when patches don’t work as intended - Click image to read more

Virtualized Options

Both VPN and RDP create a tunnel into your corporate infrastructure, and attackers exploit that path to gain broader access.

Fortunately, using virtualization technology can redirect remote users to a desktop segregated from the rest of your network.

Microsoft recommends using their Remote Desktop Services (RDS) that creates session-based desktops launched as Virtual Desktop Infrastructure, or VDI.

Microsoft RDS is available on Azure or through other cloud providers, but it can also be installed within a corporate data center for those reluctant to adopt the cloud.

Adoption of Windows RDS or other software solutions may greatly improve security, but it also comes with the many responsibilities of management and security.

Those seeking a more turn-key solution can choose a solution for securing Desktop-as-a-Service that offers several distinctions from a VDI, such as:

  • Reduced CapEx: VDI deployments require server investments (in the data center or the cloud)
  • Control / Resource Demand Tradeoff: VDI deployments offer more control than DaaS, but the control comes at the costs of additional labor and time to establish and continuously maintain the deployment. 
  • Sharing Space: VDI deployments are single tenant implementations, but DaaS usually requires an organization to accept multi-tenant hosting.
  • Improved Flexibility: Investing in VDI deployments locks an organization into a specific technology for a specific capacity. Cloud VDI might offer more flexibility than a data center, but DaaS permits instant scalability for user changes, as well as options to try different operating systems and vendors.

There are many large, established vendors that offer cloud-based VDI and DaaS services, such as VMware, IBM, Citrix, AWS, and Microsoft.

There are many smaller vendors of course, and each one tries to offer something to differentiate themselves.

Although these might work for you, the wide variety of features and options they offer can also make them more confusing to navigate.

The Takeaways

Regardless of whether it’s a wide-spread adoption or only a handful of employees, there’s a good chance your organization relies on remote operations in some manner.

And sure, Desktop-as-a-Service is a great option to have, but it also opens your business up to new avenues of attack. That means taking the extra steps to secure it is crucial.

Selecting VDI or DaaS does reduce possible internal network security issues. However, simply moving to virtualized computers doesn’t guarantee a higher level of security. There are always integration options that need to be navigated in connecting the virtual desktop with the rest of your organization’s networks.

Ensuring that all features match the needs of your organization, and have been correctly configured, requires an in-depth understanding of all available options. Since this is easier said than done, you might need to work with an outside expert to ensure you have the best fit and the correct setup.

For a free consultation on improving the security of existing remote connection technology or to explore virtualized options, call Ideal Integrations at 412-349-6680 or fill out the form below. Our experts have the training and experience you need to provide sound advice and any service you’re looking for.

Need a Managed IT Solution For Your Organization? Contact Us!

  • This field is for validation purposes and should be left unchanged.