Boost VDI security in on-premise Active Directory: VDI MFA and access controls

The personal computer remains the bedrock of modern business computing but running applications locally is not always a good fit for every software use case.

One drawback of PCs is that using them forces organizations to make optimistic assumptions about data and application security. PCs are vulnerable to compromise in ways that can be almost impossible to detect until a breach has occurred.

The PC model also assumes that every computer will have a locally installed copy of an application and sufficient processor power to run it. Because some organizations run complex, high-resource applications, this is not always the case. 

Virtual Device Infrastructure (VDI) offers an alternative in which individual applications or entire desktops are virtualized and served centrally, usually running on servers hosted inside an organization’s data center. 

These can be shared “terminal” sessions where every user accesses the same environment, or desktop sessions where each user has their own application space and data. Sessions can be persistent — the user accesses the same virtual environment each time, or non-persistent, where each session begins anew.

In practice, VDI is a complex technology that can be implemented in different ways using proprietary technologies, for example, Microsoft, VMWare, and Citrix. But the underlying principle is always the same: individual applications (or a complete operating system) are run on a remote hypervisor which in Microsoft implementations the user interacts with via Remote Desktop Protocol (RDP) as if it were locally installed.

This centralizes control over applications and data, giving organizations more oversight and certainty. Using VDI, remote employees can access processor-intensive or shared applications more efficiently and — in principle at least — more securely than with standalone PCs.

Although VDI is often described as "niche," modern business throws up many scenarios where it’s the best option. VDI enables shared applications where data must remain under central control. It is also a good fit for remote access, or for accessing complex or legacy applications that can't easily be run on local PCs.

Once seen as an alternative to traditional PCs, today VDI is just as likely to be deployed alongside PCs and laptops to give access to specialized applications.

VDI’s popularity comes from the higher level of data security and control it offers, combined with the convenience for employees when accessing certain applications.

The caveats are complexity and security.

VDI requires more infrastructure, which often leads to layers of complexity, especially around security. Remote access is always a risky scenario. But with VDI, this is even more true because employees are accessing central applications and data directly.

Traditional defenses such as usernames and passwords are too vulnerable to theft and brute forcing to secure VDI connections on their own. In today’s cybersecurity environment, VDI is unthinkable without multi-factor authentication (MFA), but this can be difficult to get right.

Somehow, organizations must find a way to implement MFA security in a way that avoids it becoming a management overhead or a barrier between users and their VDI applications.

Running VDI on-premise excels in use cases where central control and monitoring is a priority, or where local PCs are not powerful enough to run complex applications.

VDI is a good option when you need to:

• Build a high-security environment, common in government and military sectors, where data must be kept centrally for security reasons.

• Comply with regulatory requirements around data residency, especially in sectors such as healthcare and finance.

• Share specialized high-performance or large applications that aren’t suitable for a PC, for example, CAD/CAM or call centers.

• Give access to legacy applications that won’t run on a PC.

• Simplify support for a fully remote or hybrid workforce.

In theory, by centralizing applications VDI offers more control. But VDI security risks abound — and VDI still offers attackers plenty of scope.

One common risk is that a computer using VDI is still an endpoint. If an attacker compromises that endpoint, they open the door to access the user account, applications, or even the user desktop being used remotely.

Anything an attacker can achieve by compromising a PC is also true for a VDI session.

Another VDI security risk is concurrent sessions.  When users open a second VDI session without closing an existing session, they expand the number of targets exposed to attack.

Finally, VDI creates complexity (and anxiety) around compliance. With so many users accessing central servers and data, it's critical to prioritize the security of user credentials. Admins should always ensure they have full visibility on who is accessing VDI sessions.

Traditionally, VDI is deployed on-premise which means that organizations configure and manage their own infrastructure, including Active Directory (AD).

More recently, the emergence of fully managed desktop-as-a-service (DaaS) and partially managed cloud platforms such as Azure Virtual Desktop has complicated this picture. Now, VDI can be served from a cloud platform using Entra ID (formerly Azure AD) as well as from servers connected to on-premise AD fully under an organization’s control.

There are pros and cons to both approaches. However, on-premise VDI’s popularity is assured. In most scenarios, on-premise VDI supports a wider range of applications and gives organizations a high degree of control over data and security without having to rely on guarantees offered by a service provider.

But, it's unavoidable that maintaining infrastructure in-house requires organizations to specify everything themselves, including the all-important VDI MFA security layer authenticated via on-premise AD, or in hybrid mode via Microsoft Entra Domain Services (formerly Azure AD Domain Services).

UserLock lets admins secure VDI with multiple layers of control. The first of these is MFA for VDI, through which a second factor (via push notification, authenticator app, or a hardware security key such as Yubikey or Token2) secures user access to the VDI session.

Because UserLock integrates with existing on-premise AD directories and Entra ID with Active Directory Domain Services (AD DS) without additional infrastructure, getting VDI MFA up and running is quick and easy. With UserLock, you do all of this in the same console that secures other connection types such as VPNs, IIS, Wi-Fi, SaaS, etc.

UserLock MFA prompts are triggered by an agent running on the user’s computer, which executes the VDI template in either workstation or terminal mode.

As well as controlling concurrent sessions using timeouts (see below), admins can remotely secure VDI sessions if they detect a possible compromise.

Concurrent sessions are an underestimated security risk. In the context of VDI, it’s also quite common. A user opens a VDI session from one computer, then opens a second one on a separate workstation without closing the first. These open but redundant sessions not only consume more resources but offer attackers more targets to compromise through session hijacking.

UserLock allows admins to track concurrent sessions, and to apply session limits on a workstation, individual user, Group or Operational Unit (OU) basis using the same configuration panel used to control other types of concurrent session such as VPN or IIS.

Admins also have access to UserLock's detailed logs of all VDI sessions, allowing them to monitor how users interact with the platform as well as identify suspicious logins.

With a remote workforce, legal firm Duane Morris faced the problem of users controlling concurrent sessions across its estate of physical and virtual (VDI) desktops. UserLock gave the company a way to identify and disconnect these while distinguishing between workstation (Windows 10/11) and terminal (shared Windows desktop) sessions. To reduce admin overhead, UserLock allowed users to close previously open sessions as they logged into a new session.

Read the case study: How UserLock enhances VDI security with monitoring and concurrent session controls

Asked to implement MFA to secure on-premise Windows VDI access for one of its managed customers, Zephyr Cloud struggled to find a solution that didn’t involve additional expense and complexity. While the client’s domain identity provider is Entra ID, they use AD DS to authenticate to legacy systems as well as VDI. UserLock’s MFA implementation worked without extra software, allowing users accessing a multi-session VDI engineering application to receive MFA prompts regardless of whether they access it via a browser or VDI agent.

Read the case study: How UserLock MFA for Windows VDI meets compliance requirements