With the Department of Defense (DoD) mandate to adopt the Windows 10 Secure Host Baseline (SHB) rapidly approaching, many organizations are trying to figure out how they will comply in time.
And the mandate isn’t as simple as just updating all the desktops to Windows 10. The DISA Windows 10 STIG requires administrators to enable a motherboard’s Trusted Platform Module (TPM) in order to provide Credential Guard a more secure way of storing user credentials.
This may cause additional capital expenses within an organization if existing hardware can’t meet Credential Guard’s requirements. Citrix and its partners can help an organization meet this mandate well before the January 2017 deadline without incurring this additional capital expense.
What are Credential Guard and the TPM?
Credential Guard is a new method for protecting user credentials that leverages virtualization within Windows to isolate the credentials from the operating system. This process helps further secure credentials from malware and other software with malicious intent.
Credential Guard has hard requirements, such as UEFI firmware versions, Secure Boot support, CPU virtualization extensions, and 64-bit Windows Enterprise. Credential Guard also has a soft requirement for TPM 1.2 or 2.0, meaning a TPM is preferred but not necessary for Credential Guard to function. Full details on Credential Guard can be found here.
The Trusted Platform Module (TPM) is a hardware module installed on the computer’s motherboard, that can be used to securely store items such as keys and hashes. A hardware module provides a more secure method of storing these items than software.
Machines with TPM support typically sport the Intel vPro logo. Credential Guard can use the TPM to store user credentials in this hardware security module itself. However, the TPM is not actually a hard requirement for Credential Guard as it can store the credentials, less securely, in software. More details on the TPM can be found here.
What does this mean in terms of complying with the Windows 10 SHB?
Any physical domain-joined machine that is to run Windows 10 must meet the hard requirements for Credential Guard and must meet the soft requirement of a TPM. Why, you ask? The DISA STIG for Windows 10 requires that domain joined machines have the TPM enabled.
But why did I state that “physical” domain joined machines must have a TPM and not all domain joined machines? That same DISA STIG exempts virtual desktops that are reset when the user logs off. In the desktop virtualization industry this is commonly referred to as non-persistent virtual machines as no changes are left on the machine once rebooted.
How can Citrix help?
Citrix XenDesktop contains two types of single image management technologies, Machine Creation Services (MCS) and Provisioning Services (PVS). With both MCS and PVS, an administrator creates a single image for a group of desktops instead of maintaining each individual virtual machine. This allows the administrator to only have to patch and maintain this image, even though there may be thousands of desktops utilizing it.
Each time a machine based on the central image reboots it reverts to a known good state, exempting them from the TPM requirement. With PVS, image deployment and roll back can be as fast as rebooting the virtual desktops that utilize a central image. PVS can also drastically reduce the need for high end, expensive storage. More details on storage savings can be found here.
How can Citrix partners help?
Many of the machines at user desks today may fail to meet all of the requirements laid out for Credential Guard. Most likely, this will be failing to meet the UEFI firmware version and lack of a TPM. Some machines may be so old they do not have UEFI at all or even lack the ability to run 64-bit Windows Enterprise.
Citrix partners, such as iGel and ThinLinX, have software that can repurpose the workstation, currently running a full version of Windows, with a trimmed down version of Linux running the Citrix Receiver. The repurposed workstation now acts like a thin client, connecting to remote applications and desktop.
Now that these machines are no longer running Windows, they don’t need to comply with the Windows 10 SHB. An additional benefit is that these stripped down firmware images typically require much less patching, easing management and operational costs. These Linux-based firmware images can support Citrix HDX features such as the Skype for Business/Lync optimization pack, Cisco VXME client for Jabber, hardware decoding of the Citrix protocol, and HDX Insight monitoring. They also have management utilities to centrally configure and update the firmware over the network.
Is it really that simple?
I wish I could give a resounding “yes,” but there is an elephant in the room with us. An organization still has to build out those central images and some applications may not seamlessly work with Windows 10. Well Citrix has something for that also. Our new AppDisk feature can allow layering of applications on top of a PVS or MCS image of Windows 10 and AppDNA can easily help a customer determine the best way to migrate an application. More details can be found here and here.
What’s the bottom line?
Meeting the Secure Host Baseline for Windows 10 is an intimidating goal. The need to update hardware to meet the Credential Guard requirements can add an unexpected capital expense upon an organization, redirecting funds from other projects. With the help of Citrix and its partners, an organization can move to a virtualized environment, leveraging centrally managed images, and eliminate the need to have the workstations at user desks meet the Windows 10 SHB.
Those workstations can continue to be used with a stripped down firmware image, greatly extending the life of the hardware and allow funds set aside for the PC lifecycle refresh to be used on other projects. To find out more, reach out to your Citrix Sales Engineer.