During a VMWare Horizon Cloud project, the customer had the following wishes:
- The workspace needed to be fast
- The workspace needed to be secure
The trick is to balance the security measures so that performance still is adequate enough for customer needs, without compromising security requirements.
“Security is almost always at the expense of performance”
The customer wanted us to align with the CIS Level 1 benchmark for the Windows OS. At that current time, we already invested a lot of time and energy in getting deeper into the CIS baselines for all current OS’es. We wanted to see what kind of impact the CIS benchmark had on the performance. In order to make de impact visible, we did a performance test with Login VSI in the VDI-Like-a-Pro labs.
What are CIS Benchmarks?
CIS Benchmarks are best practices for the secure configuration of a target system. Available for more than 140 technologies, CIS Benchmarks are developed through a unique consensus-based process comprised of cybersecurity professionals and subject matter experts around the world. CIS Benchmarks are the only consensus-based, best-practice security configuration guides both developed and accepted by the government, business, industry, and academia. For more information on CIS go to https://www.cisecurity.org
The test environment consists of the following specifications.
- Hypervisor used: VMware vSphere v6.7u3
- Brokering: VMware Horizon View 7.8
- Connection Server and File Server: Windows 2019
The RDSH servers are configured as followed.
- OS: Windows 2016
- Antivirus: Windows Defender
- VMware Horizon View Agent version 7.8
- VMware User Environment Manager Agent 9.7
- Protocol: PCoIP
VMware Horizon Client 4.10 is used to set up the connections
During the implementation of CIS level 1 policies, we did not notice any negative impact on usability. To be able to compare we ran 3 tests without CIS Level 1 policies applied and 3 tests with CIS Level 1 policies applied.
Please note that the CIS Level 1 policies were only applied on the client-side of the environment no CIS Level 1 policies were applied on the Domain Controllers, File Servers, or any other backend servers.
First, let us see what is happening with the VSImax. If we compare the VSImax of all 6 tests we can see that the tests with the CIS Level 1 policies applied have a slightly higher VSImax. When CIS Level 1 policies are applied, we see an average VSImax of 408 against a VSImax of 390 when the policies are not applied. This means a difference of 4.42%.
Average memory usage
In memory usage, we see a negligible difference. When CIS Level 1 policies are applied, we see an average memory consumption of 20% against an average consumption of 20.3% when CIS Level 1 policies are not applied. A difference of only 0.3%.
Average CPU usage
On average CPU response time, we see a bigger difference. The Average response time with CIS Level 1 policies applied is 223 milliseconds. The average response time without the CIS policies applied is 242 milliseconds. A difference of 7.86%.
File Open and File Print
The file open and file print tests are good indicators on how a real user would experience working on the system. Both tests show that the average response time is better when CIS Level 1 policies are applied. In percentages, we see a difference of 9.25% on file open and 13.52% difference on file print.
IO – Disk
On storage, we see a different outcome than on CPU and memory. On average disk performance with CIS Level 1 policies applied is slower.
Security is important but can have an impact on user performance. That is why you should always test when applying specific security measures.
In this case, applying the CIS Level 1 policies, the environment is not only more secure, but we also see an increase in performance. That is why I would recommend to always apply CIS Level 1 policies which will result in a secure and performance-friendly workspace.
In January Login Consultants will release a whitepaper with more details on the use cases and importance of having good security measures in place to have a save and good performing workspace.