I’m a believer in separation of administration from office work. Office work means being on the Internet and being vulnerable to the threats that are out there. Even though I’m a veteran administrator and keep my systems patched I know there are always risks. Even reputable websites are targeted to host malware. My colleague Gavin recently brought to our attention the alarming percentage of Irish websites that host malware without their owners knowing.
Being a server administrator I cannot take the risk of getting an infection on my PC and then allowing that infection to use my administrative rights to infect servers in our management system or on customer servers. And this isn’t just a hosting thing; even if I managed and internal server/PC network I’d do what I’m about to describe in this post.
I work remotely from the data centre. The way we’ve build our infrastructure means we don’t need to be there all of the time; only to do physical work. I VPN onto our management network and can work away on our systems and gain secure access via Firewall rules to hosted servers to perform engineering tasks. I could have just installed a VPN client on my laptop but I’m an administrator on my laptop. I surf the web on my laptop. I read email on my laptop. That’s the last machine I should use to admin critical servers. And the same goes for my regular user account.
So what was my solution? Desktop based virtualisation. This is where you create a software based computer that runs on your PC. It consumes a share of CPU and memory from your PC but it runs as a completely independent computer. I run Windows 7 on my laptop so there’s a few ways I could approach this.
Microsoft has a release candidate (nearly but not quite finished) build of a new version of Virtual PC for Windows 7. Vista users can user Virtual PC 2007 SP1. Both are free desktop virtualisation solutions from Microsoft. If you wanted you could create a virtual machine that runs any version of Windows. Windows 7 users will be able to download a pre-built XP SP3 virtual machine referred to as XP Mode.
Because this VM is an independent computer you can install software in it. It’s a separate security domain so you can do normal office work on your laptop and sensitive work in the VM. That’s what I do. I install the VPN client in the VM and do all of our data centre administration in there. I can be on the Internet on my laptop and “in” the data centre in the VM. Additions/integration components allow me to securely copy data between the machines and to copy/paste.
I might be a Microsoft MVP on virtualisation but I’m open and independent. I actually use a VMware solution on my laptop for this work. I created a virtual machine using VMware Workstation 6.5.3 on my Windows 7 laptop. That VM has only 512MB of RAM and is running Windows 7. I configured it to use both my wired and wifi NIC’s in the laptop. I installed the VPN client in the VM and did some other customisations. To use the VM I don’t use VMware Workstation. Instead I used the very lightweight VMware Player. By firing it up from the Start Menu jump list it launches a window for the VM. I see it restoring from the hibernated state which lasts just a few seconds. I then get my 100% independent working space where I can work away on servers without any risk of threats from the Internet.
Related posts:
