During a VMWare Horizon Cloud project, the customer had the following wishes. The workspace needed fast and secure. Security is almost always at the expense of performance.

Because the customer wanted us to align with the CIS Level 1 benchmark for the Windows OS. We wanted to see what kind of impact the CIS benchmark had on the performance. In order to make de impact visible, we did a performance test with Login VSI.

What are CIS Benchmarks?

CIS Benchmarks are best practices for the secure configuration of a target system. Available for more than 140 technologies, CIS Benchmarks are developed through a unique consensus-based process comprised of cybersecurity professionals and subject matter experts around the world. CIS Benchmarks are the only consensus-based, best-practice security configuration guides both developed and accepted by the government, business, industry, and academia. For more information on CIS go to: https://www.cisecurity.org

Test setup

The test environment consists of the following specifications.

• Hypervisor used: VMware vSphere v6.7u3
• Brokering: VMware Horizon View 7.8
• Connection Server and File Server: Windows 2019

The RDSH servers are configured as followed.

• OS: Windows 2016
• Antivirus: Windows Defender
• VMware Horizon View Agent version 7.8
• VMware User Environment Manager Agent 9.7
• Protocol: PCOIP

VMware Horizon Client 4.10 is used to setup the connections

Results

During the implementation of CIS level 1 policies, we did not see any performance impact with the bare eye. To be able to compare we ran 3 tests without CIS Level 1 policies applied and 3 tests with CIS Level 1 policies applied.

Please note that the CIS Level 1 policies were only applied on the client-side of the environment no CIS Level 1 policies were applied on the Domain Controllers, File Servers, or any other backend servers.

VSImax

First, let us see what is happening with the VSImax. If we compare the VSImax of all 6 tests we can see that the tests with the CIS Level 1 policies applied have a slightly higher VSImax. When CIS Level 1 policies are applied, we see an average VSImax of 408 against a VSImax of 390 when the policies are not applied. This means a difference of 4.42%.

Average memory usage

In memory usage, we see a negligible difference. When CIS Level 1 policies are applied, we see an average memory consumption of 20% against an average consumption of 20.3% when CIS Level 1 policies are not applied. A difference of only 0.3%.

Average CPU usage

On average CPU response time, we see a bigger difference. The Average response time with CIS Level 1 policies applied is 223 milliseconds. The average response time without the CIS policies applied is 242 milliseconds. A difference of 7.86%.

File Open and File Print

The file open and file print tests are good indicators on how the file explorer is behaving within the user session. Both tests show that the average response time is better when CIS Level 1 policies are applied. In percentages, we see a difference of 9.25% on file open and 13.52% difference on file print.

IO – Disk

On storage, we see a different outcome than on CPU and memory. On average disk performance with CIS Level 1 policies applied is slower.

Conclusion

Security is important but can have an impact on user performance. That is why you should always test when applying specific security measurements.

In this case, applying the CIS Level 1 policies, the environment is not only more secure, but we also see an increase in performance. That is why I would recommend to always apply CIS Level 1 policies which will result in a secure and performance-friendly workspace.

Login Consultants will release a whitepaper with more details about the tests.