It happened again over the weekend. I was talking to someone about VDI versus Terminal Server, and they said, "Yeah, but at least with VDI, I can just give my users admin rights and not have to worry about anything."
After I recovered from the mini heart attack I had in reaction to hearing this, I thought "This has got to stop! People need to learn that letting regular users have admin rights (VDI or not) is a colossally stupid thing to do."
Or is it?
Back in the old school days of Windows computing (where each user had their own desktop), we didn't really pay too much attention as to whether we gave users admin rights. Some companies did. Some companies didn't. But when Terminal Server came on the scene in the late 1990s, we had to take admin rights away from our users, since a single user with admin rights on the server could do bad things that would negatively affect everyone.
But as some vendors started pushing VDI in the last few years, one of the "pro VDI" arguements we started to hear was that VDI was somehow "simpler" than Terminal Server because all your users can have admin rights on their VMs (since a bad user with admin rights on one VM wouldn't affect other VMs). This is something that might seem ok at first, but after giving it some thought, you realize it's a really bad idea.
My question is, how bad is it? If we let typical users run with local admin rights within their desktop VMs, what kind of bad things can they do? (For example, I think Rick Mack said something like 90% of the Windows Update security vulnerabilities wouldn't apply if a user was running as a non-admin.)
Or is it really ok to let users run as local admins?
I understand this is a complex issue. And whether users can run with admin rights in any particular environment depends on how disk images are managed and whether users need to be able to install their own software and about fifteen other things. But in general, do you think this is a good idea?
Before we get into the discussion, I want to apply my standard VDI disclaimer here: I'm not saying that VDI is bad or that it has no place today. However, if you want to use VDI just because you're lazy and you don't want to figure out real security--that is a very bad thing.