1.1. General Security Considerations and Features

Oracle VDI draws on its own architecture as well as on security features of Sun Ray Software, Oracle Secure Global Desktop (SGD), Oracle VM VirtualBox, Microsoft Remote Desktop Protocol (RDP), and Java technologies such as Java Management Extensions (JMX). It offers users the ability to access the same virtual desktop from a wide range of devices, located virtually anywhere. At the same time, Oracle VDI enables data, storage, and applications to be moved from individual desktops to data centers, which are easier and less costly to manage as well as less difficult to secure.

Access Control

Oracle VDI uses role-based access control to restrict system access according to the least privilege principle.

When Oracle VDI is configured, a user with a local user account is specified as a Primary Administrator. This user can assign administrator privileges to other users according to their roles as administrators, operators, and monitors for specific levels of administrative functionality, such as managing pools of virtual machines or configuring companies.

Users are typically assigned virtual desktops from pools of virtual machines configured to serve particular job functions. Ordinary users are not usually assigned administrative roles, although they may administer their own virtual desktops under some circumstances (see About Oracle VDI Role-Based Administration in the Oracle Virtual Desktop Infrastructure Administrator's Guide). For access to client functionality, these users are authenticated against a corporate User Directory, which is also the source of authentication for the desktop host.

Client authentication can be disabled to allow for special requirements (see How to Disable Client Authentication in the Sun Ray Software Administration Guide).

Common Sense Practices

To further strengthen an Oracle VDI implementation, administrators may want to separate administrative functions from user traffic by keeping them on separate networks. In some cases, it is advantageous to use additional, separate networks for virtualization and for storage traffic as well. Network configuration is discussed in:

Security in general can also be enhanced by common-sense practices, such as:

For instance, a recent NASA study revealed serious deficiencies in at least six servers that had been considered secure. Site administrators and security officials may not find this surprising, but it should serve as a reminder that even the best security policy is meaningless without enforcement.

A Word About Viruses

Traditionally, Windows PCs have been widely targeted for viruses, malware, and various types of attacks. Other operating systems and form factors are also becoming increasingly subject to unwanted attention. Virtual PC desktops are subject to the same vulnerabilities as physical PC machines, and they require similar precautions, with a few key differences. For instance, scheduled virus scans of individual virtual desktops may slow down performance, so it is preferable to perform virus scanning on storage instead. It is always a good idea to perform routine virus checking of desktop pools as well, to keep possible infections from spreading. Also, viruses can be introduced, intentionally or not, via USB devices, so administrators should give careful consideration to the advantages and disadvantages of allowing USB device access.

The following references may also be useful: