In the wake of the health crisis of 2020, many companies have made remote working the norm. However, these new ways of working raise the question of access to corporate applications and the security of exchanges. In this article, we look at the extent to which desktop and application virtualization services address these issues, and more specifically at the security challenges covered by Amazon AppStream 2.0.

To meet the need for remote working, the simplest solution is to install applications on users’ workstations. This is also the least secure solution, as data will be written to the workstation when accessing database servers, for example. If the workstation is lost or stolen, company data is lost.

Data protection

To prevent the risk of data leakage in remote environments, Amazon AppStream 2.0 enables the application to be displayed remotely to the client workstation. The application runs on the AWS Cloud, as does the database, and no data is sent to the user’s workstation, since the application’s display is remote: the user only sees pixels.

In addition, to ensure that no data is sent to the client workstation, a number of complementary strategies need to be configured: for example, AppStream can be used to block file transfer (from Appstream to the workstation or vice versa), or to prevent printing.

On the other hand, the user’s personal folder, i.e. his settings and preferences, are persistent. Working documents are stored on S3, where the data can also be encrypted.

Network isolation

AppStream also offers the advantage of network isolation, with one dedicated instance per user. The instance runs with an ENI (Elastic Network Interface), in the subnet of a chosen VPC.

By configuring security groups, this machine is separated from other users and servers, unlike other remote display solutions such as Citrix/Microsoft RDS/etc, where several users can be on the same server. At the end of the user session, the machine is automatically destroyed.

Authentication

AppStream relies on SAML authentication with MFA (this option is not mandatory, but can be chosen to enhance security), and also supports Smart Card authentication at AD level, with a smartcard reader on the client workstation. This type of card authentication enables AppStream to provide end-to-end SSO.

Encryption

How is the display transported? It’s an HTTPS tunnel encrypted with SSL (AES256), in both directions. So there’s no security risk here.

Other security issues

The choice of a remote-working solution raises the same security issues as the management of a workstation: the provision of a Windows machine must be accompanied by a certain number of security measures, such as anti-virus software.

If the workstation is connected to an Active Directory, group policies should be set up to restrict access. It may also be advisable to include DLP (data leak prevention) tools, and more generally all the tools you might want to install on a Windows machine to reinforce security. Some companies choose to use Powershell scripts to disable certain Windows functions, activate certain logs and so on. Tools such as FSlogix, Sysmon, etc., can be used to add layers depending on the level of security required by the company. Finally, endpoint detection response (EDR) products can be installed in the AppStream image.

We also recommend following good security practices on AWS, in the management of VPCs, subnets, security groups, network ACLs and so on. It is also possible to use other AWS services to provide an additional layer of security, such as KMS keys to encrypt content on S3, or Kinesis to send Windows event logs or log content.

This, of course, depends on the level of security required in the working environment, and the particular context of each project. For example, in the case of an Active Directory deployment, it is preferable to secure network flows by authorizing the bare minimum, to prevent an attacker from doing lateral movement over the network from an Appstream machine. Zero day vulnerabilities can be used to increase privileges, which is why tools are needed to detect this type of attack.

Finally, we’d like to mention some best practices in Windows administration, such as not storing administrator passwords in scripts or other configuration files. The Appstream Builder image automation method developed by Laurent Mas and myself, for example, uses an Active Directory dedicated to building the image, and uncoupled from the target AD.