bva gets many inquires about how should organizations back up local desktops. Of course as technical professionals, bva recommends having nothing on the desktop with regards to important data. But never the less it is always a subject matter that gets voiced and requested from management. Having the ability to build and push an image to a user desktop is a great and easy way to ensure user satisfaction and lowers administration time. That being said it is starting to be a common development when moving email into the cloud such as Exchange Online with BPOS/Office365. There is currently no way of backing up the mail store which is painful. That being said the way around that is to back-up the local OST file that can be backed up to local disk from the desktop. Of course for restoration purposes you really need to move the OST to PST for restoring with typically takes another migration tool that is not free and needs to be purchased per mailbox. A great way around that is to simply image the desktop and keep that image locally on slower or cheap disk. That covers you on many levels from our perspectives and has many copies of data on different sets of hardware, something to consider.
The popular software that we are using as of right now are as followed:
- Acronis® Backup & Recovery™ 11 Advanced Workstation Website Link – Use console to manage machines locally or remotely, Includes Acronis Management Server for single point of centralized management, Group machines into static on dynamic groups, Automatically include multiple machines or group of them to backup task, Monitor backup and recovery activities on all machines from a single place, Build customizable reports.
- Symantec Backup Exec 2010 Desktop and Laptop Option Website Link – With the majority of business-critical information residing outside the data center or off corporate servers, protection for desktops and laptops is a must. The enhanced Desktop and Laptop Option delivers continuous data protection to desktops and laptops whether in the office or on the road. Not only improving data protection and efficiency, this option enables users to restore their own files and maintains synchronization between multiple desktops and laptops so the most up-to-date file versions are available on all of a user’s computers. Because the Desktop and Laptop Option does not require a dedicated stand-alone server as competing products do, it easily integrates into existing IT infrastructure and policies, helping lower the total cost of ownership. The new push-install functionality from within Backup Exec centralizes deployment. Backup Exec 2010 includes support for Windows 7, Windows Vista, Windows XP 64-bit OS, as well as delta file transfer, reducing the total amount of data being backed up. With this release, this option is integrated with Backup Exec Retrieve (available with the Backup Exec Continuous Protection Server) for even greater simplified file recovery.
Microsoft on Tuesday released 17 updates that fix 40 separate vulnerabilities, several of which are being exploited. Only two of the updates fix vulnerabilities rated critical. The two critical updates include MS10-090, which fixes seven bugs in Internet Explorer. Every supported version of IE on every supported platform is affected by at least one critical vulnerability, and client versions have at least three. Six of the seven are memory corruption vulnerabilities and the seventh is a cross-domain information disclosure that is being exploited in the wild. At least six of these were reported by professional researchers. The second critical vulnerability is MS10-091, wihch includes three bugs in the OpenType font driver that could allow for remote code execution. All versions of Windows are affected, although on Windows XP and Server 2003 only a privilege elevation is possible. Fourteen of the remaining 15 vulnerabilities fixed today have a maximum rating of important:
* MS10-092: A local user can elevate privileges by exploiting a bug in the Task Scheduler.
* MS10-093: This is one of the Insecure DLL loading vulnerabilities, affecting Windows Movie Maker on Vista. The user would have to load an untrusted file from a network share or WebDAV site.
* MS10-094: Another Insecure DLL loading vulnerability, this one is in Windows Media Encoder. The user would have to load a WME profile (.prx) file from an untrusted network share.
* MS10-095: An Insecure DLL loading vulnerability in Windows Live Mail and Live Writer.
* MS10-096: An Insecure DLL loading vulnerability in the Windows Address Book.
* MS10-097: An Insecure DLL loading vulnerability in the Windows Internet Connection Signup Wizard in XP and Server 2003.
* MS10-098: Six separate vulnerabilities in Windows related to Kernel Mode Drivers, one publicly-disclosed, could allow a user who is logged in locally to elevate privilege.
* MS10-099: The NDProxy component of Routing and Remote Access in Windows XP add Server 2003 is vulnerable to an elevation of privilege.
* MS10-100: An error in the way the Consent User Interface in Windows Vista, Windows 7, and Windows Server 2008 processes certain registry data could lead to privilege elevation.
* MS10-101: A null dereference in netlogon in Windows Server could lead to a denial of service.
* MS10-102: An authenticated user in a guest VM could send a packet, which would cause a denial of service in Hyper/V.
* MS10-103: Five vulnerabilities in all versions pf Microsoft Publisher could lead to remote code execution.
* MS10-104: A user can trigger remote code execution on Sharepoint Server 2007 with a special SOAP request. The affected services, Document Conversions Load Balancer Service and Document Conversions Launcher Service, are not enabled by default, and the user context of the attacker would be guest with access only to the temp directory.
* MS10-105: Seven vulnerabilities in the graphics import filters in Office XP, Office 2003, the Office Converter Pack and Works 9 could allow remote code execution. In a strange move, Microsoft is recommending that Office 2007 and 2010 users apply the patch as well, even though it says those versions are not vulnerable.
* The final update, MS10-106, fixes a single vulnerability rated moderate. Authenticated users could trigger a denial of service in Exchange 2007 Server. The server would have to be manually restarted.
In the past 6 months BVA has seen a tremendous push towards (VDI) Virtual Desktop Infrastructure which is unique in my eyes, for the most part it is because we have come full circle. About 10 years ago there was a tremendous push toward thin-clients and dumb terminals which had a lot of success back then. After a few years of this, organizations decided to move back to heavy client models mostly due to workstations lowering their cost. Regardless of how we got to this point, VDI is back and more popular than ever. BVA has deployed over four VDI solutions in the past three months with minimal hurdles and we are getting great reviews from the client via user experience.
Lets talk about VDI and what it is and is not. Basically Virtualization technology can provide virtual desktops to your users which, over time, will save you on hardware cost as well as administration. All of us are familiar with the concept of virtual platforms/servers and using this technology to virtualize server applications (like SQL server, print servers, or other dedicated servers). VDI takes this a step farther.
Here are the steps to using VDI:
- Create a virtual machine
- Install a VDI Connection Broker – this Connection Broker is what determines which Remote Desktop Host a user is assigned or should be connected to. Here are some of the connection brokers available today:
- ChipPC Virtual Desktop Center
- Citrix Desktop Broker for Presentation Server
- Dunes Virtual Desktop Orchestrator (VD-O) and Virtual Service Orchestrator (VS-O)
- LeoStream Virtual Desktop Connection Broker
- Propero workSpace
- Provision Networks Virtual Access Suite (VAS)
- Install a desktop operating system on that VM, such as Windows XP or Windows Vista
- Install desktop applications on the VM
- Allow remote access to that virtual desktop system over the network using any number of possible remote control options
VDI is basically thin-client computing (such as Citrix/Terminal Services). With VDI, you are taking the processing off of the end user’s device and bringing it onto a server. The difference with VDI, unlike thin-client, the virtual desktop is dedicated to a single end user or mapped to provide the desktop OS & applications to a single client viewing device. Many VDI packaged solutions, of course, uses VMware or Microsoft’s virtual platforms as the underlying virtualization product.
Why should an organization use VDI?
- Security – Desktops are more secure
- Rollback – Can use VMware’s snapshot and revert technology on desktop machines
- Centralized Apps – Applications upgrades are easier because systems are all in a centralized location
- Speed Deployment – You can quickly clone existing machines and roll out new systems because machines are all in a single central repository
- Provide a full desktop PC – You are providing full access to a virtual machine and each virtual desktop is mapped to a single user or a single client device.
- Reliability – If you could quickly restore any PC OS to a usable state, free from viruses or corruption, how reliable could your desktop systems be?
Here are some key points about the solution for your reference:
- You could use older or existing PC’s but that doesn’t provide you all the benefits you could get from VDI. You could also use thin-client devices running RDP. Ideally, you might consider something like the new Wyse Thins OS-VDI, made just for thin clients that will be connected to VDI servers. More information can be found at: http://www.wyse.com/about/news/pr/2006/0802_VMwareVDI.asp and http://www.wyse.com/products/software/os
- With regards to remote control application, you can choose from RDP, VNC, or others
- For Legacy hardware you can use RDP, for example, which supports USB devices on the client and if you could put a parallel or serial device on the server, you could also access it from the client.
- You will have to do your own cost comparison, keeping in mind, the soft numbers related to the increased security and management functionality. There are several case studies that outline a 5 year ROI that shows the cost comparison where you come out appropriately.