Windows Virtual Desktop - Thoughts?

  • SpinRite v6.1 Release #3
    Guest:
    The 3rd release of SpinRite v6.1 is published and may be obtained by all SpinRite v6.0 owners at the SpinRite v6.1 Pre-Release page. (SpinRite will shortly be officially updated to v6.1 so this page will be renamed.) The primary new feature, and the reason for this release, was the discovery of memory problems in some systems that were affecting SpinRite's operation. So SpinRite now incorporates a built-in test of the system's memory. For the full story, please see this page in the "Pre-Release Announcements & Feedback" forum.
    /Steve.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

    /Steve.
  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)

GregM

Member
Dec 6, 2020
19
2
We are looking at running some "Inventory Management Software" on a Win 10 installation, but the people that are going to access it are not even in the same city.

I was thinking that maybe setting up a Windows Virtual Desktop might be a way to go.

I did think about setting up a machine, and then using the services that Steve had recommended (Remote Utilities) to remotely access it (still an option).

Does anyone have any experience with WVD (Securely Accessing it, how well it runs, troubles they've had with it), or maybe another suggestion?

Cheers.
 
It sounds like an ideal solution would be an inventory system that has a web front end allowing access to do what your users need to do (and no more.) Of course, you probably don't have that, nor the time or budget to create it. Exposing a virtualized machine poses the risk that one of your users will get it into some mucked up state whereby it's unusable for the others. You will be needing to have regular backups, I'm guessing, to be able to restore back to a known good state if ever needed. Also, how will users share the machine if two people need it simultaneously?
 
TeamViewer is cool for remote access. I use it to support family members BUT, they have to physically interact on their end and set up the connection. Having remote access without that interaction can be dangerous. @Steve and others can chime in on how to secure such a thing.

Ron
 
  • Like
Reactions: Mervyn Haynes
TeamViewer IS very efficient, even in an unattended setup. I've been using it for a few years on remote workstations. It does have limitations, especially in domain environments.

I'm not sure how I would feel about having a web-facing front end, the software would need to basically be bullet proof and that is rarely the case.

Edit : In my (semi-functioning) mind, this is practically a normal use case for a VPN.
 
Last edited:
I can't talk to Windows Virtual Desktop, except to say that I heard about it. My understanding is that it is similar to RDSH/RemoteApp in behaviour.

I have more experience with a Remote Desktop Session Host based RemoteApp setup to achieve something similar, but that might be quite expensive due to the licensing involved (Windows Server licences, Remote Desktop Services Client Access Licences, etc.).
My only tip is to never expose an RDSH/RemoteApp server to the Internet directly.
 
It sounds like an ideal solution would be an inventory system that has a web front end allowing access to do what your users need to do (and no more.) Of course, you probably don't have that, nor the time or budget to create it. Exposing a virtualized machine poses the risk that one of your users will get it into some mucked up state whereby it's unusable for the others. You will be needing to have regular backups, I'm guessing, to be able to restore back to a known good state if ever needed. Also, how will users share the machine if two people need it simultaneously?

I've used TeamViewer, AnyDesk, Cloudberry's Remote Desktop, and others . . . some will warn ir there is already a connection, so there is that.

Agreed, exposing a VM may be problematic.

At this point I'm spitballing ideas here.

The Inventory software has a "Server" and a "Client". That would be the next best thing to a 'web interface', but from what I'm seeing it looks like it might be piggy backing on Windows RDP which, thanks to Steve and the Security Now podcasts, I want to stay as far away from as possible.
 
TeamViewer IS very efficient, even in an unattended setup. I've been using it for a few years on remote workstations. It does have limitations, especially in domain environments.

I'm not sure how I would feel about having a web-facing front end, the software would need to basically be bullet proof and that is rarely the case.

Edit : In my (semi-functioning) mind, this is practically a normal use case for a VPN.

Thanks for the reply Cozmo.
re: . . . case for a VPN.
I completely agree.
I know what I'm shooting for - not 100% sure how to get it, but . . . I think I'm getting there.

The inventory software apparently runs on Linux (with limited "tech support"). I'm thinking of firing up a Linux Server (with some help to make sure it is secured correctly), initiating a Wiregard server and then having the other connect using the Wiregard Client BEFORE initiating the "Inventory Software's Client". That way if there are any vulnerabilities in the "Inventory Software's Client" protocols, the VPN wrapper should keep them safe.

I'm still trying to work that out, but I think that is where I'm headed.
 
  • Like
Reactions: Cozmo
We are looking at running some "Inventory Management Software" on a Win 10 installation, but the people that are going to access it are not even in the same city.

I was thinking that maybe setting up a Windows Virtual Desktop might be a way to go.

I did think about setting up a machine, and then using the services that Steve had recommended (Remote Utilities) to remotely access it (still an option).

Does anyone have any experience with WVD (Securely Accessing it, how well it runs, troubles they've had with it), or maybe another suggestion?

Cheers.
WVD is more than what you describe, requiring M365, an FSLogix Profile server, host pool, etc. You'll also want MFA enforced as the access/control plane allows access through even web browser login, so it'll be attacked. Further, you'll need data/apps sitting in Azure so unless you already live in that world, you'd have to maintain a VPN Gateway link from onprem to Azure. It sounds like you're wanting either a single PC and someone to remote to it or a multisession WVD or RDS. I'd argue unless you are already "in" Azure, you'd be better served by VPN+RDP to an onprem system.
 
I setup something like this for a small customer. Put in a PFsense, setup OpenVPN for remote VPN.
Users need to start VPN before they can connect to apps/intranet/etc.
Price is reasonable and setup is not too bad. Clients for most everything are available.
 
WVD is more than what you describe, requiring M365, an FSLogix Profile server, host pool, etc. You'll also want MFA enforced as the access/control plane allows access through even web browser login, so it'll be attacked. Further, you'll need data/apps sitting in Azure so unless you already live in that world, you'd have to maintain a VPN Gateway link from onprem to Azure. It sounds like you're wanting either a single PC and someone to remote to it or a multisession WVD or RDS. I'd argue unless you are already "in" Azure, you'd be better served by VPN+RDP to an onprem system.
Thanks for the info zim!
I'm going to go the route B_D just mentioned.
I've setup a Wireguard on Amazons Lightsail.
Works like a charm.