Just in time for the holidays, it’s XenApp and XenDesktop 7.12 (it’s the “feel good” release of the year)!
Well, at least it is for me. Why, you might ask? Well besides all of the great new features in XenApp and XenDesktop—as outlined in Allen Furmanski’s latest blog post—this latest release from Citrix can now work in Microsoft Hyper-V® environments where the Secure Boot feature for Generation 2 VMs is enabled.
Secure Boot is a foundational requirement for a great catalog of additional security enhancements within Windows Server® 2016 Hyper-V. This blog post – the seventh in our “Getting Ready for Windows Server 2016” Blog series – provides a quick overview of these Hyper-V features and our initial guidance on what XenApp/XenDesktop administrators and IT test teams should really start investigating for their Windows Server 2016 Hyper-V based implementations.
Why it matters:
The process of providing secure access to applications and data remains in constant motion in an effort to face threats of breach that are always evolving…it never ends.
There are risks and costs to a program of action—but they are far less than the long-range cost of comfortable inaction. – John F. Kennedy
With Windows Server 2016 Hyper-V Secure Boot enabled, Gen2 VMs are endowed with a set of platform-level security features not previously available. These features work to block various attack vectors, from authentication and run-time compute to potential VM disk manipulation by bad actors. Employing as many of these Hyper-V enabled features as is reasonable within your particular environment should be seriously considered in virtualization designs as we move forward.
Once Secure Boot has been enabled, only properly signed and certified device drivers can load within the Microsoft Windows environment during boot time. With Citrix XenApp 7.12 all drivers have now completed the required certifications to load within a Secure Boot VM.
How it works:
Secure Boot support was originally introduced in Windows® 8 and required UEFI 2.3.1 or later support in the underlying computer hardware. Support for Hyper-V Gen2 VMs, UEFI, and Secure Boot of those VMs was first introduced in Microsoft Windows Server 2012 R2 Hyper-V. Neither the Windows Client, Server or Gen2 VMs require a Trusted Platform Module (TPM) to be installed in the base hardware in order for Secure Boot to be enabled.
“When Secure Boot is activated on a PC, the PC checks each piece of software, including the Option ROMs and the operating system, against databases of known-good signatures maintained in the firmware. If each piece of software is valid, the firmware runs the software and the operating system.”
With Citrix XenApp 7.12, all drivers have now met all requirements to load within a Secure Boot VM in Windows Server 2016.
Enabling Secure Boot for a Hyper-V VM is done in an individual VM’s “Settings” dialog as shown below.
Once Secure Boot has been enabled only properly signed and certified device drivers can load within the Microsoft Windows environment during boot time. With Citrix XenApp 7.12 all of these drivers have now met those requirements and can load within these Secure Boot Windows Server 2016 VMs.
With Secure Boot enabled additional security features can now be explored. Some of these features are…
- Virtual Trusted Platform Module (TPM) support:
- Virtual Machine Encryption (state and migration traffic)
- BitLocker® Drive Encryption within the Virtual Machine
- Credential Guard
- Device Guard Improved Security
- Shielded VMs
How Citrix can leverage it:
Citrix XenApp 7.12 support in Secure Boot environments represents a move to further enhanced security at the foundation of the system. With this feature enabled, IT can be more confident that only boot time sanctioned code is running while the operating system loads, and that Citrix XenApp has met the requirements for such a secure environment.
The additional security features mentioned in the previous section; vTPM, VM Encryption, BitLocker, Credential Guard, Device Guard Improved Security, and Shielded VMs, are supported only for investigations at this time (such as the case with my explorations of the OS in this series). We are encouraging our partners, customer and prospects to evaluate these features with XenApp and XenDesktop 7.12. Please provide us with feedback through your regular support channels, however critical support for production environments is not yet available for these additional features at this time. Please consider them in a Technical Preview state as part of the 7.12 release.
How Citrix can add value beyond Secure Boot:
Citrix is well known in the industry for how we enhance secure access to enterprise applications and data. One of my most recent favorite posts on this topic is “Context-Aware Security with XenApp and XenDesktop” by my team mate Martin Zugec. He also was instrumental in the creation of a great white paper on “Getting Started with XenApp and XenDesktop Security”.
Next up in this series…
Next time, I will be introducing the base system I will be using to explore the complete Citrix and Microsoft stack throughout 2017. This new system includes much of what we have already discussed over the last few weeks, but it will include System Center Virtual Machine Manager, Operations Manager and Configuration Manager. We will also revisit some of the Office 365 integration topics as part of this system…so stay tuned.