Calling the recent Windows PrintNightmare security vulnerability “bad” is a serious contender for understatement of the year.
Every single device running Microsoft Windows – from laptops, desktops, and servers – was revealed to have a gaping security hole, one that hackers have been able to climb through for God knows how long and then poke around to their heart’s content.
The reach of this vulnerability is truly astounding. Consider the fact that there are currently 1.3 billion devices running Windows 10, not to mention hundreds of millions of other devices running on earlier versions of Windows that are also impacted by PrintNightmare.
Taken together, we’re talking about well in excess of 2 billion devices worldwide running some form of Windows, and 100% of these Microsoft machines were affected by the vulnerability. Every--Single--One of them
The really scary thing is, we’ll never know how damaging this security flaw actually was. There’s no way to quantify what information might have been accessed or viewed by hackers during the lengthy window – ahem – when they had a free pass to leverage the vulnerabilities in the Windows Print Spooler service to create user accounts with administrative privileges and then go rummaging around for sensitive data.
Releasing a security patch, as Microsoft has recently done, helps plug these holes, but unfortunately, people don’t always implement security patches as soon as they’re available.
Busy individuals might see a notification that a patch is available for installation and mutter “Yeah, yeah – I’ll get to that tomorrow” and then keep pushing it off, repeatedly. Or, they might be afraid that the patch will “break” something on their computer, and they’re staring down too many deadlines right now to let that happen, so they don’t want to chance it. To complicate the update process further most machines require multiple patches and multiple reboots to effectively suppress the vulnerability. These added steps increase the likelihood of a failed patch.
The result? Security holes remain unpatched for longer than they should, and the bad guys have more time and more opportunity to leverage the flaw.
It doesn’t have to be this way. Virtual desktops can mitigate much of the threat around a vulnerability like PrintNightmare. But only if done right!
Virtual desktops deliver a desktop environment to end users from a centrally managed server or private cloud. End users have access to the same workspace from any device over any internet connection, which is great for mobility and productivity. But the real advantage is on the IT side. Services like the Digital Bunker deliver virtual desktops in a fully managed environment.
Because virtual desktops are centrally managed, an organization can respond to a five-alarm fire like PrintNightmare very quickly by rolling out a security patch to all of their virtual desktops and servers as soon as it’s available, without any action needed on the part of end users. This is a big advantage over conventional devices that are managed and updated on an individual basis. Virtual Desktops allow the patches to be rolled out in the middle of the night even if the user powers off their machine.
Remember our busy worker, plugging away at their computer and saying, “I’ll install that patch tomorrow” and never getting around to it? Virtual desktops mean we don’t have to worry about that scenario anymore. The patch has already been installed, without their involvement, and probably without them even realizing it.
Even better, the central management of virtual desktops means the ability to quickly reduce or even completely neutralize specific vulnerabilities. For instance, PrintNightmare exploits the inner workings of the Windows print service. The IT team can turn off printing services for all of their virtual desktops in one fell swoop, disabling that functionality until a patch is available to be deployed.
Sure, people might not be able to print things for a day or two. But it’ll otherwise be business as usual, and people will be able to continue getting work done, all while fully shielded from PrintNightmare. Again, this type of rapid response just isn’t feasible if users have to individually remember to toggle off print services on their devices.
The central management that virtual desktops allow for also means that the organization can quickly deploy additional perimeter defenses, including a hardened firewall that ensures the virtual desktop can only be accessed from certain locations or certain IP addresses, to help make sure some unauthorized user isn’t sticking their foot in the door.
While the advantages of virtual desktops are many, not all virtual desktop offerings are the same. You can’t just purchase an à la carte “virtual desktop” and then crack open a cold beverage to celebrate the fact that all your problems have been solved.
A virtual desktop on its own is just a starting point. The offering needs to solve for mobility and security. It needs to provide backups. It needs to ensure users are coming in to access the services in a compliant manner, and it needs to provide visibility into what exactly those users are doing when they’re accessing the services.
If it’s not taking a holistic approach and solving for all those problems, a virtual desktop might actually be creating more problems than a conventional desktop by creating a false sense of security. But properly implemented and packaged with all the right supporting technologies, virtual desktops deliver a powerful advantage – particularly in the face of a nasty piece of work like PrintNightmare.(Maybe for another story: Like any tool if not properly implemented it can cause more harm than good. Think about your father in law when he whips out the chainsaw to trim the tree?)
Not nearly enough organizations have implemented virtual desktops because, frankly, it takes a certain level of expertise to do it properly. But if more organizations get on board, then maybe we can all breathe a little easier the next time a massive security vulnerability like PrintNightmare is brought to light. Because security wise, we’ll have a lot less to be scared about.