Support  |  News & Events  |  Blog  |  About  |  Help  

Category Archives: Windows 8

Cloud-Based VDI vs. DaaS - Is There a Difference?

August 29, 2014 2:24 pmLeave a Comment

With nearly all new technologies in the IT space comes confusion over terminology. Some of the confusion is simply because the technology is new, and we’re all trying to understand how it works and how – or whether – it fits the needs of our businesses. Unfortunately, some of the confusion is often caused by technology vendors who want to find a way to label their products in a way that associates them with whatever is perceived as new, cool, innovative, cutting-edge, etc. Today, we’re seeing that happen with terms like “cloud,” “DaaS,” and “VDI.”

“VDI” stands for Virtual Desktop Infrastructure. Taken literally, it’s an infrastructure that delivers virtual desktops to users. What is a virtual desktop? It is a (usually Windows) desktop computing environment where the user interface is abstracted and delivered to a remote user over a network using some kind of remote display protocol such as ICA, RDP, or PCoIP. That desktop computing environment is most often virtualized using a platform such as VMware, Hyper-V, or XenServer, but could also be a blade PC or even an ordinary desktop PC. If the virtual desktop is delivered by a service provider (such as VirtualQube) for a monthly subscription fee, it is often referred to as “Desktop as a Service,” or “DaaS.”

There are a number of ways to deliver a virtual desktop to a user:

  • Run multiple, individual instances of a desktop operating system (e.g., Windows 7 or Windows 8) on a virtualization host that’s running a hypervisor such as VMware, Hyper-V, or XenServer. Citrix XenDesktop, VMware View, and Citrix VDI-in-a-Box are all products that enable this model.
  • Run multiple, individual instances of a server operating system (e.g., 2008 R2 of 2012 R2) on a virtualization host that’s running a hypervisor such as VMware, Hyper-V, or XenServer. In such a case, a policy pack can be applied that will make the 2008 R2 desktop look like Windows 7, and the 2012 R2 desktop look like Windows 8. In a moment we’ll discuss why you might want to do that.
  • Run multiple, individual desktops on a single, shared server operating system, using Microsoft Remote Desktop Services (with or without added functionality from products such as Citrix XenApp). This “remote session host,” to use the Microsoft term, can be a virtual server or a physical server. Once again, the desktop can be made to look like a Windows 7 or Windows 8 desktop even though it’s really a server OS.
  • Use a brokering service such as XenDesktop to allow remote users to connect to blade PCs in a data center, or even to connect to their own desktop PCs when they’re out of the office.
  • Use client-side virtualization to deliver a company-managed desktop OS instance that will run inside a virtualized “sandbox” on a client PC, such as is the case with Citrix XenClient, or the Citrix Desktop Player for Macintosh. In this case, the virtual desktop can be cached on the local device’s hard disk so it can continue to be accessed after the client device is disconnected from the network.

Although any of the above approaches could lumped into the “VDI” category, the common usage that seems to be emerging is to use the term “VDI” to refer specifically to approaches that deliver an individual operating system instance (desktop or server) to each user. From a service provider perspective, we would characterize that as cloud-based VDI. So, to answer the question we posed in the title of this post, cloud-based VDI is one variant of DaaS, but not all DaaS is delivered using cloud-based VDI – and for a good reason.

Microsoft has chosen not to put its desktop operating systems on the Service Provider License Agreement (“SPLA”). That means there is no legal way for a service provider such as VirtualQube to provide a customer with a true Windows 7 or Windows 8 desktop and charge by the month for it. The only way that can be done is for the customer to purchase all the licenses that would be required for their own on-site VDI deployment (and we’ve written extensively about what licenses those are), and provide those licenses to the service provider, which must then provision dedicated hardware for that customer. That hardware cannot be used to provide any services to any other customer. (Anyone who tells you that there’s any other way to do this is either not telling you the truth, or is violating the Microsoft SPLA!)

Unfortunately, the requirement for dedicated hardware will, in many cases, make the solution unaffordable. Citrix recently published the results of a survey of Citrix Service Providers. They received responses from 718 service providers in 25 countries. 70% of them said that their average customer had fewer than 100 employees. 40% said their average customer had fewer than 50 employees. It is simply not cost-effective for a service provider to dedicate hardware to a customer of that size, and unlikely that it could be done at a price the customer would be willing to pay.

On the other hand, both Microsoft and Citrix have clean, easy-to-understand license models for Remote Desktop Services and XenApp, which is the primary reason why nearly all service providers, including VirtualQube, use server-hosted desktops as their primary DaaS delivery method. We all leverage the policy packs that can make a Server 2008 R2 desktop look like a Windows 7 desktop, and a 2012 R2 desktop look like a Windows 8 desktop, but you’re really not getting Windows 7 or Windows 8, and Microsoft is starting to crack down on service providers who fail to make that clear.

Unfortunately, there are still some applications out there that will not run well – or will not run at all – in a remote session hosted environment. There are a number of reasons for this:

  • Some applications check for the OS version as part of their installation routines, and simply abort the installation if you’re trying to install them on a server OS.
  • Some applications will not run on a 64-bit platform – and Server 2008 R2 and 2012 R2 are both exclusively 64-bit platforms.
  • Some applications do not follow proper programming conventions, and insist on doing things like writing temp files to a hard-coded path like C:\temp. If you have multiple users running that application on the same server via Remote Desktop Services, and each instance of the application is trying to write to the same temp file, serious issues will result. Sometimes we can use application isolation techniques to redirect the writes to a user-specific path, but sometimes we can’t.
  • Some applications are so demanding in terms of processor and RAM requirements that anyone else trying to run applications on the same server will experience degraded performance.

There’s not much that a service provider can do to address the first two of these issues, short of going the dedicated-hardware route (for those customers who are large enough to afford it) and provisioning true Windows 7 or Windows 8 desktops. But there is a creative solution for the third and fourth issues, and that’s to use VDI technology to provision individual instances of Server 2008 R2 or Server 2012 R2 per user. From the licensing perspective, it’s no different than supporting multiple users on a remote session host. Once the service provider has licensed a virtualization host for Windows Datacenter edition, there is no limit to the number of Windows Server instances that can be run on that host – you can keep spinning them up until you don’t like the performance anymore. And the Citrix and Microsoft user licensing is the same whether the user has his/her own private server instance, or is sharing the server OS instance with several other users via Remote Desktop Services.

On the positive side, this allows an individual user to be guaranteed a specified amount of CPU and RAM to handle those resource-intensive applications, avoids “noisy neighbor” issues where a single user impacts the performance of other users who happen to be sharing the same Remote Desktop Server, and allows support of applications that just don’t want to run in a multi-user environment. It’s even possible to give the user the ability to install his/her own applications – this may be risky in that the user could break his/her own virtual server instance, but at least the user can’t affect anyone else.

On the negative side, this is a more expensive alternative simply because it is a less efficient way to use the underlying virtualization host. Our tests indicate that we can probably support an average of 75 individual virtual instances of Server 2008 or Server 2012 for VDI on a dual-processor virtualization host with, say, 320 Gb or so of RAM. We can support 200 – 300 concurrent users on the same hardware by running multiple XenApp server instances on it rather than an OS instance per user.

That said, we believe there are times when the positives of cloud-based VDI is worth the extra money, which is why we offer both cloud-based VDI and remote session hosted DaaS powered by Remote Desktop Services and XenApp.

Posted in: Best Practices, Cloud Computing, DaaS, VDI, Virtualization, Windows 7, Windows 8Tagged: , , , , ,

A Brief Respite from CryptoLocker

June 4, 2014 4:00 pmLeave a Comment

A couple of days ago (June 2), the UK’s National Crime Agency announced that law enforcement agencies have effectively disabled key nodes of the GOZeuS network, which provided a key delivery mechanism for CryptoLocker’s ransom malware. They’ve also identified a person believed to be the leader of the criminal enterprise behind GOZeuS, and international officials say that other arrests are “in progress.”

While this is good news, it’s unlikely to be a permanent solution to the ransomware problem, given the distributed nature of Internet-based malware. It does, however, give us some breathing room – perhaps as much as a couple of weeks - to think about how to protect against it.

In case you’re not familiar with what CryptoLocker is, it is a particularly nasty form of malware that first appeared in the fall of 2013, and is typically spread by tricking a user into clicking on a disguised executable. Disguised executables are, in part, enabled by the unfortunate design choice Microsoft made in Windows XP that continued through Windows 7, which was to “Hide extensions for known file types” by default. (Personally, this always annoyed me, and one of the first things I always did when setting up a new PC was to deselect that option. It does appear that it is no longer selected by default in Windows 8 and 8.1.)

This meant that, for example, a Word document that was called “My Important Customer Proposal.docx” would display in Windows Explorer (and elsewhere within the OS) as, simply, “My Important Customer Proposal.” That also meant that if someone sent you an email with a file attachment called MalwareDesignedToStealYourMoney.pdf.exe, it would display in Windows as, simply, MalwareDesignedToStealYourMoney.pdf. An unsophisticated or careless user – or someone who perhaps was just exhausted from a long day and not thinking clearly – might look at the file name and think it was an ordinary Adobe PDF file, and double-click on it to open it up…not realizing that the “.exe” that was hidden from them meant that it was really an executable that was designed to install malware on their system.

“But why,” you might ask, “wouldn’t my anti-virus software protect me against this?” The answer is that some anti-virus products might protect you, depending on how the options are set. But many, if not most, users have local administrator rights to their PCs. (Yes, arguably they shouldn’t, but every IT admin that’s ever tried to take those rights away has had to deal with the howls of protest when users – often top executives – suddenly can’t install iTunes or some other equally essential utility on their PCs.) So unless your AV product is set to scan files whenever they are accessed – a setting that often isn’t enabled even on products that are capable of doing it because it can slow your system down – you won’t know that you’re installing something bad until it’s too late. Local administrators, by definition, have the authority to install software. You launched the installation program, you’re a local administrator, so it’s going to get installed.


Once installed, CryptoLocker checks in with a server on the Internet that assigns a public/private key pair to that PC, and CryptoLocker then happily goes to work using the public key to encrypt all the documents, spreadsheets, pictures, etc., on your system. The latest variants will even encrypt files on network drives if they’re mapped using a drive letter. (So far, it doesn’t appear that CryptoLocker knows how to navigate across UNC paths.) There is even some evidence that the latest variants may wait up to two weeks before locking you out of your files, in the hopes that you will move through a full cycle of backups during that time, meaning that all your backups will also be encrypted and therefore useless to you. Once it’s done its dirty work, you will suddenly be unable to access any of your files, and will be presented with a screen that tells you that you have, typically, 72 hours to submit payment – typically via untraceable money cards or bitcoin – in order to obtain the private key that will decrypt your files. Otherwise, the private key will be automatically destroyed, and your files will be forever out of your reach.

If the thought of having to cough up the equivalent of $300 US or lose all your data leaves you with cold chills (as it does me), what can/should you do?

  • First and foremost, educate your users. One of the most basic rules of computer safety is that you simply don’t open email attachments from people you don’t know – and, for that matter, don’t open them from people you do know unless you were expecting them and know what they are. Remember that it’s not that tough to impersonate someone’s email address. At the moment, most CryptoLocker payloads are disguised as invoices from financial institutions, messages from shipping companies, notices from law enforcement agencies, etc., often with scary messages about account closures, final notices, and amounts due. Also beware of zip file attachments. Make sure your users are aware of these common tricks, so they don’t reflexively click to see what a file attachment is.
  • If you’re still running Windows 7 or earlier, deselect the “Hide extensions for known file types” option. This will at least make it slightly more likely that someone will notice that there’s something not quite right about the file they’re about to click on.
  • Keep your anti-virus products up to date.
  • Restrict permissions on shared folders.
  • Consider removing local admin rights from users.
  • Consider using a prevention tool like “CryptoPrevent” from the folks at Foolish IT, LLC. This is a tool that is free for both private and commercial use – although there is a paid version that will automatically update itself and offers additional features like email alerts when applications are blocked. When installed, it will, silently and automatically, lock down a Windows system by, among other things, preventing executables with double extensions (like “something.pdf.exe”) from running, and preventing executables from running if they’re located in folders where you wouldn’t expect legitimate programs to be located. It implements over 200 rules that will help protect you from other forms of malware as well as CryptoLocker.

    It should be noted that, if you’re running a Professional version of Windows that is joined to a Windows domain, all of these rules could be set via group policies, and there are even pre-packaged prevention kits, such as CryptolockerPreventionKit.zip, available at www.thirdtier.net/downloads that will make it easier to set those group policies. But if you’re not comfortable with the whole concept of group policies and/or you’re not in a Windows domain or you’re running a home version of Windows, CryptoPrevent is a fast and easy way to deal with the issue.

Please do not assume that the latest law enforcement announcements mean that we don’t have to worry about CryptoLocker anymore. It’s estimated that CryptoLocker raked in as much as $30 million just in the first 100 days after it appeared in the wild. With that much money in play, it – or something else like it – will inevitably reappear sooner or later.

Posted in: Best Practices, Security, Windows 7, Windows 8Tagged: , ,

Adventures with Windows 8 (Part 1)

August 20, 2012 9:12 am1 Comment

I’ve been holding back on doing any testing with Windows 8, mostly because I didn’t have a suitable system that I was willing to risk screwing up by putting a pre-release OS on it. But, now that Win8 has been RTM and the bits are out there on MSDN, the Microsoft Partner site, etc., I decided to take the plunge. I downloaded the bits and our internal-use license key via the Microsoft Partner site, and on Saturday, I decided to upgrade my Motion Computing LE1700 tablet to Windows 8.

The LE1700 has been my primary computing system now for at least four years. It’s got an Intel Core2 L7400 CPU (1.5 GHz), and 4 Gb of RAM. It came with Vista pre-installed, but when Win7 was released, I was able to upgrade it with a minimum of driver hassles. The LE1700 has a completely detachable keyboard, and I have a docking station in the office and a docking station at home with full-size keyboards and monitors in each location, so the ability to move back and forth has been great.

The only down side is that it only has a 70 Gb hard disk. As time has gone by, that’s become more and more difficult to live with - and I finally bought a 32 Gb SD card (fortunately, it does have an SD memory slot) and moved a lot of infrequently-accessed files off the hard disk. This also made it difficult to do the Win8 upgrade, in that I had to move a bunch of additional data off the hard disk to free up enough space, then upgrade, then get rid of the resulting Windows.old folder, then move stuff back.

Other than that, the upgrade went pretty smoothly. There were a couple of older apps that I needed to uninstall before I could upgrade, but they weren’t apps that I particularly cared about. One surprise, though, was that it suggested that I uninstall iTunes. I did so, as I may be the only person left on the planet who has not purchased any music through iTunes - I installed it only so I could load music onto my infrequently-used iPod nano - so there was no down side for me in doing the uninstall.

One oddity had to do with the license key. Based on what I had read, I expected to be prompted to enter a license key as part of the installation - but I wasn’t. Then, once the installation was complete, I couldn’t find any way to install a license key so I could activate the OS. Ultimately, I had to go to a command prompt and use the “slmgr” (Software License Manager) utility. The syntax is “slmgr /ipk [your product key]” - that’s “ipk” as in “install product key.” Once that was done, the system activated just fine. I do not know whether this is an anomaly that is specific to the MS Partner internal-use version of the product, or whether it will crop up in other volume license versions.

As I said, the upgrade went smoothly. Even though I was not connected to the Moose Logic network when I did the upgrade, it did not disrupt the domain membership, and I was able to authenticate with my domain credentials when I was done. So far, everything I’ve tried to run has run fine. As far as I can tell, even my AVG anti-virus is still functional.

I am a bit annoyed that Microsoft dropped the “Aero Glass” interface, but I guess I’ll get used to that. I’m also annoyed at the absence of a “Start” button on the desktop task bar, but I found a solution for that: the good folks at Stardock have a utility called “Start 8” that puts the Start button back, and gives you both a “Run” and a “Shutdown” option if you right-click on it. (At your option, it can also take you straight to a desktop when you log on.) The version of Start8 that is currently available for download was designed for the Consumer Preview of Win8, but appears to install and run just fine on the released version as well. I’m sure that Stardock will release an update for it soon.

I was also very pleased to discover that my two favorite Win7 utilities, “Fences” (also by Stardock) and “Display Fusion,” also still functioned within the Win8 desktop. In particular, the Fences utility eases some of the inconvenience of having to look for applications that aren’t on the new Win8 Start screen. Since I had used Fences to group application icons on my Win7 desktop for my most frequently-used apps, all I have to do is jump to a desktop, and those icons are still right there.

I suspect that, for the foreseeable future, I will still do most of what I do within the context of a traditional desktop, which begs the question of why I should have upgraded in the first place. One reason, of course, is so I can write posts like this one. Another is that, as a Microsoft Partner, I felt that I needed to be familiar with the new OS. Also, my LE1700 is touch-capable, although it requires the use of a stylus, so I’m curious to see how well things will work when I undock the system and actually use it as a tablet. Finally, I’ve got my sights set on a Surface Pro tablet when they become available (I’m due for a system upgrade anyway), so the more exposure I get to Win8 the more prepared I’ll be.

I’ll be writing more about my adventures with Windows 8 as time goes on…

Posted in: Microsoft, Windows 8Tagged: ,

Windows 8 Consumer Preview Video

March 5, 2012 4:58 pmLeave a Comment

You’re probably aware that the Windows 8 Consumer Preview (a.k.a. public beta) was released last Wednesday. And if you’re among those who are still trying to figure out how you’re going to get from Windows XP to Windows 7, you’ve probably been studiously ignoring any news that had anything to do with yet another version of Windows.

Personally, with all the changes going on here in Moose-ville (new Web site, new Desktop-as-a-Service offering, new people coming on board, etc.), I just haven’t had the time to follow all the Windows 8 news. But, now that’s there’s actually something that you can download and play with, I’ve started taking a closer look…and trying to figure out what system I might have laying around that I could actually put it on.

Since I’m a Windows Phone user, I’m somewhat familiar with the new “Metro”-style application interface. At first glance, I wasn’t sure why that was a good thing to have on a laptop or desktop PC. But after giving it a closer look, I’m finding that there are several things about it that intrigue me.

If you’re curious to know more, take a look at this demo video from Microsoft, and let us know in the comments what you think.

Posted in: Microsoft, Windows 8Tagged: