Securing Secure Desktops
Follow security best practices to secure Oracle Cloud Infrastructure Secure Desktops.
Security Responsibilities
To use Secure Desktops securely, learn about your security and compliance responsibilities.
In general, Oracle provides security of cloud infrastructure and operations, such as cloud operator access controls and infrastructure security patching. You are responsible for securely configuring your cloud resources. Security in the cloud is a shared responsibility between you and Oracle.
Oracle is responsible for the following security requirements:
- Physical Security: Oracle is responsible for protecting the global infrastructure that runs all services offered in Oracle Cloud Infrastructure. This infrastructure consists of the hardware, software, networking, and facilities that run Oracle Cloud Infrastructure services.
Your security responsibilities are described on this page, which include the following areas:
- Desktop maintenance: You are responsible for maintaining the desktops, including the contents of the image (firewalls, anti-virus, applications, and so on), the networking that desktops use (to access corporate networks, the internet, and so on), access policies and compartments, storage, as well as patching images and desktops.
- Access Control: You are responsible for giving users only the access necessary to perform their work.
- Encryption and Confidentiality: You are responsible for the use of encryption keys and secrets to protect your data and connect to secured resources. Rotate these keys regularly.
- Patching: You are responsible for keeping software up to date with the latest security patches to prevent vulnerabilities.
Initial Security Tasks
Use the following checklist to identify the tasks you must perform to secure the Secure Desktops service in a new Oracle Cloud Infrastructure tenancy.
- Use IAM policies to grant access to resources. See IAM Policies.
- Configure the Virtual Cloud Network (VCN). See Network Security.
- Configure compartments and groups to control access to desktops. See Access Control.
Routine Security Tasks
After getting started with Secure Desktops, use the following checklist to identify security tasks that we recommend you perform regularly.
- Maintain the desktop. See Desktop Maintenance.
- Apply the latest security patches. See Patching.
- Determine user access to their virtual desktop. See Access Control.
- Set a backup policy for each desktop pool. See Data Durability.
Desktop Maintenance
You are responsible for maintaining the desktops, including:
- Desktop image - You are responsible for the contents of the desktop image. You should install firewalls, anti-virus software, and other security applications as needed. Only install trusted and necessary applications. Update the image regularly with operating system and software updates. See Patching.
- Networking - You are responsible for limiting network access to corporate networks and the internet as required by your organization's best practices. This includes securing subnets that the desktops reside on. See Network Security.
- Access - You are responsible for limiting access to the desktops by setting up policies and configuring compartments and groups. See IAM Policies and Access Control.
IAM Policies
Use policies to limit access to Secure Desktops.
A policy specifies who can access Oracle Cloud Infrastructure resources and how. For more information, see How Policies Work.
Assign a group the least privileges that are required to perform their responsibilities. Each policy has a verb that describes what actions the group is allowed to do. From the least amount of access to the most, the available verbs are: inspect
, read
, use
, and manage
.
For Secure Desktops, you must define policies for the desktop administrators and desktop users. Always apply the minimal access policies necessary for the type of user. Desktop users should be limited to 'use published-desktops', while desktop administrators should have access to 'manage desktops' and 'manage desktop-pools'. For more information and to view examples, see Policy Details for Secure Desktops.
Network Security
Configure the Virtual Cloud Network (VCN) to provide secure access to the Secure Desktops service.
VCN Configuration
When setting up the tenancy for Secure Desktops, configure the VCN to allow desktops to access public and corporate networks as required by your organization’s best practices. For more information, see Networking Overview.
Patching
Ensure that your Secure Desktops resources are running the latest security updates.
Keep desktop instances up to date by periodically applying the latest available security patches and software updates. The Secure Desktops service has no visibility of the content of the desktop and therefore cannot ensure it is configured securely or has the required updates. You are responsible for maintaining security features in the deployed custom images. This includes, but is not limited to, anti virus software, security updates for OS and applications, and network configuration.
Oracle Linux Desktops
If possible, use OS Management to maintain and monitor updates for the desktops. See Managing Linux Packages.
Windows Desktops
If possible, use OS Management or a Windows patch management solution to maintain and monitor updates for the desktops. See Managing Windows Updates.
Access Control
In addition to creating IAM policies, follow these best practices for securing access to the virtual desktops.
Configure compartments and groups to limit access to desktop pools
When creating a desktop pool, consider who will have access to the virtual desktops within the pool. Desktop users can access a desktop in every pool in the compartment their group can access. To limit a user's access to specific pools, you must create both separate groups and separate compartments.
For more information, see Understanding Desktop User Access to a Desktop Pool.
Set desktop pool parameters
When creating a desktop pool, determine which features the desktop user should have access to on the virtual desktop. Consider limiting access to the following features as necessary for security:
- Local system device access (clipboard, drives, or audio)
- Virtual desktop administrator privileges (the ability to apply updates, restart the system, and so on)
Adjust the desktop pool parameters when creating the desktop pool to meet your security needs. For more information, see Creating a Desktop Pool and Desktop Pool Parameters.
Modify desktop pool availability
Consider limiting the time desktops are available as needed for security. See Setting Availability Schedules.
Data Durability
To minimize loss of data, select a backup policy for the desktop volumes when creating a desktop pool. See Backing up Storage.
For more information on securing Block Volumes, see Securing Block Volume.