One of the major advantages of virtualizing the desktop is security. Organizations are better able to keep data internal as opposed to letting it sit on endpoint devices located anywhere in the world. But security doesn’t stop there. I recently observed an interesting situation that we all need to be aware of to avoid. Imagine this scenario…
A user walks away and doesn’t lock their end point. After 10 minutes their virtual desktop is locked automatically. However, around the 20 minute mark, I walk by, see an unlocked endpoint and start looking around. No data on the endpoint. But I see the user left their browser opened and one of the tabs is connected to Web Interface. And luckier still, the user is still logged into Web Interface. If I select the virtual desktop, I now re-connect to the user’s already active virtual desktop and have complete access to their data.
The goal for most organizations is to prevent unauthorized users from gaining access to a user’s virtual desktop. Many put a timer on inactive desktops so users are required to re-enter their credentials, thus helping to prevent others from gaining access. This works fairly well, but only if you take the setting further, and outside of the virtual desktop.
Many users initiate their connection via Web Interface. Web Interface has its own timeout setting. If you set Web Interface timeout to be 30 minutes and your virtual desktop is 10 minutes, you really aren’t doing anything.
I hope you can see the trouble this might create. This is a pretty easy one to avoid by simply modifying the Web Interface Session timeout setting contained within the Session Settings configuration for the site (and if you can, enable end point lockouts as well).
Daniel – Lead Architect