COMMENTARY: Long gone are days of the pandemic-driven boom in remote work. Yet, many companies today still let employees work remotely at least some of the time to maintain hybrid workforces, global teams, and physical security in regions struck by military conflicts.With attackers’ tactics evolving, teleworkers need secure ways to connect to corporate apps and data.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]Giving everyone a work laptop isn’t always practical, and complex BYOD policies are often derailed by device incompatibility or data access issues. That’s why setting up virtual desktops using virtual desktop infrastructure (VDI) has long been a popular option for IT teams. This approach to virtualization means that all data and apps remain under company control.But security challenges remain. A centralized VDI network serves up a juicy target for bad actors who try to steal credentials and take over accounts, spread malware or ransomware via unsecured endpoints, and exploit misconfigurations and unpatched vulnerabilities.Let’s look at seven best practices to prevent the organization’s VDI setup from becoming low-hanging fruit in 2026:VDI-powered virtual desktops let employees carry out work tasks from anywhere, without interruptions or disruptions, but only if they are kept secure. These best practices help harden virtual desktop attack surfaces and strengthen security posture across hybrid environments.David Balaban, owner, Privacy-PCSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
- Enforce authentication and access control: Place identity and access at the top of the VDI security list. Enforce MFA as standard on every entry point, especially connection gateways, to reduce the risk of credential-based attacks. Integrating VDI access with centralized identity, single sign-on (SSO) systems, and least-privilege access helps remove privilege creep and limit the potential damage of a successful phishing attack. Include conditional access policies like device compliance, location, or risk-based signals, so that only trusted users on known devices under secure conditions can initiate a VDI session.
- Harden VDI golden images: Because “golden images” are used to quickly create multiple virtual desktops, it’s crucial to keep them clean and secure. Begin with a standardized base desktop image that’s fully patched with the latest OS and application updates, then remove unnecessary software, services, and features to reduce the attack surface. Before deploying or cloning the image to VDI pools, apply secure baseline configurations like security policies, endpoint protection settings, and restricted permissions. Retire outdated versions so that all provisioned virtual desktops are consistently built from a trusted, up-to-date, and minimal configuration.
- Secure remote access gateways: Remote access gateways serve as the front door to the whole VDI environment, so we want them impenetrable. Set up a hardened VDI gateway as the single controlled entry point for external users, and configure it with strict security settings and TLS encryption. Configure it so inbound and outbound traffic gets restricted using firewall rules to allow only required ports and trusted sources. Layer on protections such as DDoS mitigation, rate limiting, and intrusion detection to defend against network-based attacks, and don’t fall behind on maintenance.
- Restrict data movement: Sensitive data exfiltration, exposure, or leakage represent some of the top risks for VDI, but we also need to balance data movement protections against business needs like printing, file transfers, clipboard redirection, and USB access. It’s best to apply strict policies that control or disable the movement of data between the virtual desktop and the user’s local device. Configure these controls at the VDI platform or session policy level so that only explicitly approved use cases are permitted, and apply them based on user roles or sensitivity of the environment.
- Protect against ransomware and malware: Attackers can poison an entire centralized system by injecting ransomware or malware into just one unsecured endpoint, which makes endpoint detection and response (EDR) tools critical. Deploy them across virtual desktops and VDI infrastructure to monitor, detect, and respond to suspicious activity in real-time. Use non-persistent desktops whenever possible, so that each session starts from a clean state and any changes, including malware, are discarded after logout. Regularly refresh or revert virtual machines to a “known-good” golden image.
- Apply network segmentation: By segmenting networks teams can reduce the attack surface and contain breaches in a highly-centralized environment. Logically and/or physically isolate components such as desktop pools, connection brokers, management servers, and sensitive backend systems into separate network zones, with strict access controls between them. Ensure that only explicitly authorized traffic can flow between segments by implementing firewalls, access control lists, and zero-trust principles. This limits lateral movement if an attacker compromises one virtual desktop or component.
- Continuously monitor and log activity: Teams need to conduct proper logging to ensure early warnings about suspicious activity within a VDI environment. Track detailed actions across user sessions, authentication events, access patterns, and administrative tasks on both virtual desktops and supporting infrastructure. Integrate logs with a SIEM that can correlate events, detect anomalies, and identify suspicious behavior such as unusual login locations, abnormal session activity, or privilege escalation attempts.
