✉️contact@dadesktop.ca
🌐 Français
DaDesktop

Security

Ownership and Control
Redundancy and Failure recovery
  1. Trainers and users can opt to replicate an entire desktop in real time using the 'remote replica' feature.
  2. While experimenting, you can enable automatic snapshots of a desktop. If a crash occurs, the system can restore the last working version.
  3. Servers are maintained in redundant data centres; if one data centre fails, another is available with low-latency connectivity.
  4. DaDesktop infrastructure makes use of several data centres located around the world, with comprehensive physical and IT security policies in place.
  5. DaDesktop employs QEMU/KVM to create and run virtual machines; both QEMU and KVM are integral parts of the Linux operating system. Because they are built-in components of the Linux OS, security updates are both very easy and quick to deploy, with no third-party dependencies to worry about. QEMU/KVM boasts an excellent security and performance track record, outperforming commercial solutions.
At NobleProg, a zero-trust policy is implemented
  1. Only NP Tech staff with pre-registered IP addresses are permitted to access the NobleProg and DaDesktop systems we have in place. IP tables firewall rules are used to block access for SSH and other ports.
  2. Each system is protected by Two-Factor Authentication and a password, meaning an attacker who obtains only the password will not be able to access the system—their IP won't be whitelisted, and they won't have the one-time password.
  3. During a DaDesktop course, each desktop network is isolated from other desktops and public access.
  4. All NobleProg staff use a multi-factor authentication (MFA) system to log in to NobleProg or DaDesktop systems; access is revoked immediately if a staff member leaves, protecting our systems from unauthorized access.
Linux Hardening
  1. The DaDesktop server (node) system is kept minimal by installing only the necessary packages—a custom, stripped-down version of Ubuntu that we build and operate to cut down on added complexity and overhead. This, in turn, means fewer security holes, as fewer packages need to run and thus fewer services are operating at any given time. The installed footprint is typically only 250 MB for each DaDesktop server node.
  2. Access to the 'root' account is disabled via SSH.
  3. The DaDesktop infrastructure runs the latest stable version of Ubuntu Linux as its base and is automatically upgraded and patched, reducing the risk of zero-day vulnerabilities.
  4. Servers are monitored for known vulnerabilities.
  5. Unused packages and files are removed.
  6. NobleProg has access to all source code used in the project. If a vulnerability is discovered and a patch is not yet available, the NobleProg security team can patch it immediately.
  7. Systems are automatically updated via unattended-upgrades.
  8. All connections from our servers to the dark web are monitored and can be automatically blocked.
Monitoring
  1. NobleProg monitors all of its servers, including the DaDesktop servers, and creates alerts for any issues that require attention. Alerts are followed up and resolved. We regularly review alerts and issues to ensure each one is fully addressed and prevented from recurring.
  2. We monitor all DaDesktop servers and trainer/participant machines for CPU, memory, and network activity, etc. Additionally, all DaDesktop nodes and the underlying system are monitored for any CVEs that trigger a flag and require investigation. Normally, security updates are applied automatically, but in any exceptional cases identified through this monitoring, we patch them manually or take other mitigating measures.
  3. Recordings are automatically made of the Fresh Start machines for courses, which can be used to check for issues when a trainer prepares a course. Optionally, recordings of the trainer's machine and the training room can be made during a course. This is fully controllable in the UI and can be turned off if not needed.
  4. DaDesktop operating system templates are typically updated every couple of weeks with the latest security updates applied.