How to enforce Separation of Duties in a Windows Server environment

Some regulations require organisations to enforce separation of duties. In a Windows server environment this is very hard to achieve. When doing maintenance on a Windows server and logging on to the server, you automatically have access to all applications and resources. There is no way of giving different user groups access to individual application sets. If you have to do maintenance on a domain controller it is even worse. You now have been given the keys to the kingdom.

Here´s an excerpt from Wikipedias definition of Separation of Duties:

In information systems, segregation of duties helps reduce the potential damage from the actions of one person. IS or end-user department should be organized in a way to achieve adequate separation of duties. According to ISACA's Segregation of Duties Control matrix ^[3], some duties should not be combined into one position. This matrix is not an industry standard, just a general guideline suggesting which positions should be separated and which require compensating controls when combined.

Separation of duties should prevent any individual to have access to a single complete system.

With RES Dynamic Desktop Studio, life will become a lot easier. You can make sure users only can access applications tied to their duties, and when they have to perform these duties, an approval process need to take place.

In this demo I show how this could work.

Please visit RES Software for more information about RES Dynamic Desktop Studio.

/Patrik

RES Virtual Desktop Extender (VDX) Demo

I have produced a short video demonstrating the capabilities of RES Virtual Desktop Extender. RES Virtual Desktop Extender technology let users seamlessly access local applications from their virtual desktop or terminal server start menu. In the video I demo the difference looking at a HD video on your virtual desktop with and without VDX.

Another reason for using this technology, apart from resource intensive applications, is applications that needs access to local hardware. How do you burn a DVD from your virtual desktop?

For more information about this technology, please visit RES Software.

/Patrik

How do you secure a virtual desktop environment?

Securing central environments like Terminal Server (with or without Citrix) has always been a challenge due to the fact that many people are accessing the same computer. Worst case you have to have multiple Terminal Server farms to adapt to different security needs. This requires complex configuration and management.  The challenge is the same when it comes to VDI.

A successful and cost effective VDI implementation requires as few images as possible running in stateless/non-persistent mode. Traditional desktop management tools is not enough.  Traditional security based around the device will also fall short. Since the user's desktop now runs in the data center, knowing the physical location of the user is critical.

This also brings us to another question; how do you troubleshoot an environment where desktops reverts back to the previous state when the user's log off? More about this in my next blog article.

What you need is dynamic context aware computing. Settings, configuration and security based around the user's context will ease the adoption and management of virtual desktop infrastructures.

In this movie I demo context aware security to comply to some security regulations where applications only are allowed to run at specific physical locations. By having a context aware and dynamic VDI environment, changes in the user's context (in this case the location) will automatically update the workspace and make sure security regulations are followed.

Please watch my previous video about User Workspace Management to get more details about the concept of context aware computing.

/Patrik