Guide IT Delivery Design - Security
0 likes224 views
The document outlines design decisions for securing access to a customer's virtual desktop solution. Key decisions include: requiring the solution to integrate with the customer's Active Directory; using a dedicated administrative account and domain local group for virtual desktop administrators; creating a dedicated organizational unit to isolate the virtual desktop environment; and establishing trust relationships between domains to enable authentication for users across multiple forests. The design is intended to leverage the customer's existing security processes while providing sufficient access for administrators to setup and configure the virtual desktop environment.
Guide IT Delivery Design - Security
- 1. 1. Information Security This section provides a summary of design decisions that provide clear delineation for our Customer and Customer operations team regarding authentication to the Customer virtual desktop solution. Customer realizes the importance of IT security and this is reflected in our architecture and streamlined methodology. Our solution integrates with the Customer active directory and leverages the Customer IT Security procedures for adding users to resources. This design allows our Customers to utilize existing processes. In addition, our design requires no changes to the Customer AD design or schema; changes are limited to minor configuration changes such as a dedicated OU and trust-relationships if and where necessary. 1.1 Summary Access management is critical to business operations; sufficient controls for virtual desktop access are vital to ensure that access to a virtual desktop follows the same procedure as other corporate applications. Access management is critical to Customer operations; sufficient access is required to setup and configure the virtual desktop environment. Therefore, the decision points outlined in this design document provide guidance to protect the confidentiality, integrity and availability of the virtual desktop environment. 1.2 Design Decisions The following table provides design decisions concerning information security: Decision Point GuideIT Decision Justification GuideIT Hosting Domain Membership Required. Customer provides hosting domain. Dedicated VDI Administrator account Required for each resource. Unique name required. Generic account not allowed due to security and audit compliance. The GuideIT solution design requires that all the VDI infrastructure components reside in the Customer Active Directory domain. This allows for the most expedient implementation and interoperability with Customer applications and complex environments having multiple forests or domains within the same forest. This account is required to setup the Customer virtual desktop environment, add servers to the domain, add service accounts to the Service Account OU, create Group Policies, link Group Policies, and requires local administrator on all servers.
- 2. Decision Point GuideIT Decision Justification Dedicated VDI Domain Local Group in Customer domain Required. Domain Local Group VDI host domain Dedicated OU VDI Hosting domain /Customer Customer Requirement Dedicated OU Customer Permissions GuideIT Group Full Control on OU > /Customer Customer Requirement. Block Inheritance Required Customer Service Accounts Required Group Policy Creation (/Customer) Required Link Group Policy (/Customer) Required. Customer Administrator accounts requires Full Control set on the /Customer OU. The “VDI_Administrators” group is required for security and audit purposes. Membership is limited to VDI administrators. The group is restricted to VDI resources and requires a Customer AD SME to populate the group thereby providing a layer of control and auditing to our Customer. An Active Directory organizational unit dedicated to Customer and providing an isolated environment thereby protecting our Customer and the Customer environment. To create and link a GPO, you must have Link GPOs permissions on the desired domain or organizational unit, and you must have permission to create GPOs in that domain. The “Customer_VDI_Administrators” group requires Full Control on the /Customer OU to create new OU’s, and link Group Policy objects. Block inheritance is required to protect the integrity of the infrastructure servers and virtual desktops and prevent crosscontamination between the Customer Customer Group Policies that optimize the XenDesktop environment. It is critical to operational support and technical support for Customer to create and maintain the dedicated service accounts. The accounts are isolated to the Customer OU > Service Accounts. This provides a centralized and efficient way to manage GPO for the Customer deployment without impact to Customer GPO methodology or configurations. To create and link a GPO, you must have Link GPOs permissions on the desired domain or organizational unit, and you must have permission to create GPOs in that domain. By default, only Domain Administrators, Enterprise Administrators, and Group Policy Creator owners have permission to create GPOs.
- 3. Decision Point GuideIT Decision Justification Multiple Forest Authentication TwoWay Trust Required for authentication. Clients are not able to access resources in the VDI hosting domain outside the hosting forest and any domains associated with that forest. Two-way trust between each guest domain and the VDI host domain Required for authentication. Additional step after forest trust established. Clients are not able to access resources in the VDI hosting domain outside the hosting forest and any domains associated with that forest. IT Security Fulfillment (Access Requests) Leverage existing Customer process and procedures. IT Security Fulfillment Training Program Optional but recommended. The Customer solution integrates with the Customer Active Directory and allows the Customer to control access to the “virtual desktops” based on their individual needs and requirements. Reduced error rates such as user allocated correct desktop the first time or allocated more than 1 desktop, and limits security exposure due to certain groups having access to applications not required by that user, quicker response time for user access requests, 1.3 Design Details Dedicated VDI Administrator Account – This account is required to setup the Customer virtual desktop environment, add servers to the domain, add service accounts to the Service Account OU, dbowner on the Citrix SQL Cluster, create Group Policies, link Group Policies, and requires local administrator on all servers. This account is provided for initial installation of the binaries. Named accounts can be added to the corresponding AD Group as required post implementation. Customer might have existing Customer environment. We need a clear delineation for the Customer Administrator account. Create a domain ID for each administrator. This cannot be a generic ID due to audit and security compliance. XenDesktop 5 Desktop Studio requires the GuideIT Administrators group to have dbowner rights on the SQL database for XenDesktop 5 for administration purposes. Dedicated VDI Domain Local Group – The “Customer_VDI_Administrators” group is linked to all Infrastructure servers and Group Policy permissions on the Customer OU. This group is specific to the GuideIT Services VDI solution and should not be confused with existing Customer deployments. It must be separate. This group requires membership in the BUILTIN/Administrators local group of every VDI infrastructure server. Membership of this group is restricted to the VDI administrator accounts allocated by the Customer Active Directory SME.
- 4. Dedicated OU – Installation requires a dedicated OU with full control allocated to the dedicated GuideIT Administrator account(s) allowing for additional OU creation and applying custom GPO’s. The GuideIT Administrator requires assistance from the Customer AD SME to create the initial OU (/Customer), grant Full permissions to that OU and the Customer administrator is responsible for the remaining task items. As stated previously, this OU provides isolation. Users are only impacted when they login to the VDI environment. Block Inheritance – Block inheritance is required to protect the integrity of the infrastructure servers and virtual desktops and prevent cross-contamination – accomplished by enabling this feature on the OU. The GuideIT Administrator requires Full Control on the Customer OU. Again, the use of a dedicated OU provides the Customer protection in that access is isolated to a single OU. However, a dedicated AD SME resource is required for the initial configuration. Customer Service Accounts – It is critical to operational support and technical support for Customer to create and maintain the dedicated service accounts. The accounts are isolated to the Customer OU > Service Accounts. The GuideIT administrator(s) require the ability to create user accounts in the Service Account OU. The ability to create service accounts in the Customer Service Accounts OU is critical to the custom configuration of the virtual desktop implementation. Group Policy Creation – Policies are created as blank policies, disable user or machine settings per instructions, and link to the designated OU. Primary goal is setup and configuration of the base OU structure and empty policies. The group policy settings are configured in advance by the Customer implementation team and a simple import process is used once the blank GPO’s are created and then linked. It is important for the Customer to understand that enabling this feature will not impact their current GPO architecture or any custom GPO’s created by the Customer. To summarize, the impact is isolated to the Customer OU created as part of initial requirements. This provides a centralized and efficient way to manage GPO for the Customer deployment without impact to Customer GPO methodology or configurations. Link Group Policy – To link an existing GPO to a site, domain, or OU, you must have Link GPOs permission on that site, domain, or OU. By default, only domain administrators and enterprise administrators have this privilege for domains and OUs. The Customer engineer requires assistance from the Customer Active Directory SME to create the initial OU (/Customer). The GuideIT Administrator group requires full control security permissions on the Customer OU and sub-structures. Multiple Forest Authentication Two-Way Trust – The Customer design provides support for users authenticating from guest domains in separate forests. To meet this requirement requires a two-way forest-to-forest trust relationship between the VDI hosting domain and the guest Active Directory forest. In addition, a two-way-trust relationship between the user domain in each forest and the VDI hosting domain is required for Clients are not able to access resources in a domain outside the forest Two-way trust between each guest domain and the VDI host domain – The Customer design provides support for users authenticating from guest domains in
- 5. separate forests. To meet this requirement requires a two-way forest-to-forest trust relationship between the VDI hosting domain and the guest Active Directory forest. In addition, a two-way-trust relationship between the user domain in each forest and the VDI hosting domain is required for authentication to the virtual desktops. IT Security Fulfillment – This process is owned by the Customer and each Customer IT fulfillment process is unique. However, Customer recommends that the chosen solution allow for tracking or auditing (who was added to what virtual desktop group), Customer recommends the fulfillment process be handled by a dedicated team for purposes of “separation of duties”, prior to go-live this team provided training with a list of Active Directory groups that correspond to which desktops, and everyone in the organization should utilize this same process so that access to the desktops requires everyone to use the same process. This is a few examples, provided as a courtesy and out-of-scope relative to this documentation. IT Fulfillment Training Program – In most cases, the team designated to fulfill access requests to new applications become overloaded with new access requests as new applications are moved to production. Virtual desktops are no exception and the Active Directory group that controls permissions to one of several desktops and adding users to the wrong group or groups has a direct impact on the architecture or might grant access to applications not required for that user. It is for this reason, and others, that we recommend some level of training or documentation for the IT Security team that provides this service. Training provides several benefits such as decreasing the error rate, results in faster turn-around which saves time but our goal is to streamline the process so that requesting users obtain their virtual desktop in a timely manner and they obtain the correct desktop due having received training. 1.4 Additional Resources