In the Azure Virtual Desktop article series, this time we will examine how to position a secure vdi environment with Microsoft Defender for Cloud .
One of the things that differentiate cloud services from traditional on-premises virtual desktop infrastructures (VDIs) is the differences in how they fulfill their security responsibilities.
When you use Azure Virtual Desktop, it is critical to understand that while some components for your environment are already safe, you must configure other areas yourself to suit your organization’s security needs.
Picture-1
Security requirements for which you are not responsible are covered by Microsoft. It is recommended to enable Microsoft Defender for Cloud for Microsoft, subscriptions – subscriptions, virtual machines – virtual machines, key vault and storage accounts.
With Microsoft Defender for Cloud, you can:
- Managing security vulnerabilities.
- Evaluate compatibility with common frameworks such as the Payment Card Industry (PCI)
- Strengthening the overall security of your environment.
Your questions on this subject You can ask using the comments field at the bottom.
Azure Virtual Desktop security best practices
Azure Virtual Desktop has many built-in security controls. In this section, you’ll learn about security controls you can use to keep your users and data safe.
Require multi-factor authentication
Requiring multi-factor authentication for all users and admins in Azure Virtual Desktop improves the security of your entire deployment. To learn more, see Enable Azure AD Multi-Factor Authentication for Azure Virtual Desktop.
Enable Conditional Access
Enabling Conditional Access lets you manage risks before you grant users access to your Azure Virtual Desktop environment. When deciding which users to grant access to, we recommend you also consider who the user is, how they sign in, and which device they’re using.
Collect audit logs
Enabling audit log collection lets you view user and admin activity related to Azure Virtual Desktop. Some examples of key audit logs are:
- Azure Activity Log
- Azure Active Directory Activity Log
- Azure Active Directory
- Session hosts
- Key Vault logs
Use RemoteApps
When choosing a deployment model, you can either provide remote users access to entire virtual desktops or only select applications. Remote applications, or RemoteApps, provide a seamless experience as the user works with apps on their virtual desktop. RemoteApps reduce risk by only letting the user work with a subset of the remote machine exposed by the application.
Monitor usage with Azure Monitor
Monitor your Azure Virtual Desktop service’s usage and availability with Azure Monitor. Consider creating service health alerts for the Azure Virtual Desktop service to receive notifications whenever there’s a service impacting event.
Encrypt your VM
Encrypt your VM with managed disk encryption options to protect stored data from unauthorized access.
Session host security best practices
Session hosts are virtual machines that run inside an Azure subscription and virtual network. Your Azure Virtual Desktop deployment’s overall security depends on the security controls you put on your session hosts. This section describes best practices for keeping your session hosts secure.
Enable endpoint protection
To protect your deployment from known malicious software, we recommend enabling endpoint protection on all session hosts. You can use either Windows Defender Antivirus or a third-party program. To learn more, see Deployment guide for Windows Defender Antivirus in a VDI environment.
For profile solutions like FSLogix or other solutions that mount VHD files, we recommend excluding VHD file extensions.
Install an endpoint detection and response product
We recommend you install an endpoint detection and response (EDR) product to provide advanced detection and response capabilities. For server operating systems with Microsoft Defender for Cloud enabled, installing an EDR product will deploy Microsoft Defender for Endpoint. For client operating systems, you can deploy Microsoft Defender for Endpoint or a third-party product to those endpoints.
Enable threat and vulnerability management assessments
Identifying software vulnerabilities that exist in operating systems and applications is critical to keeping your environment secure. Microsoft Defender for Cloud can help you identify problem spots through Microsoft Defender for Endpoint’s threat and vulnerability management solution. You can also use third-party products if you’re so inclined, although we recommend using Microsoft Defender for Cloud and Microsoft Defender for Endpoint.
Patch software vulnerabilities in your environment
Once you identify a vulnerability, you must patch it. This applies to virtual environments as well, which includes the running operating systems, the applications that are deployed inside of them, and the images you create new machines from. Follow your vendor patch notification communications and apply patches in a timely manner. We recommend patching your base images monthly to ensure that newly deployed machines are as secure as possible.
Establish maximum inactive time and disconnection policies
Signing users out when they’re inactive preserves resources and prevents access by unauthorized users. We recommend that timeouts balance user productivity as well as resource usage. For users that interact with stateless applications, consider more aggressive policies that turn off machines and preserve resources. Disconnecting long running applications that continue to run if a user is idle, such as a simulation or CAD rendering, can interrupt the user’s work and may even require restarting the computer.
Set up screen locks for idle sessions
You can prevent unwanted system access by configuring Azure Virtual Desktop to lock a machine’s screen during idle time and requiring authentication to unlock it.
Establish tiered admin access
We recommend you don’t grant your users admin access to virtual desktops. If you need software packages, we recommend you make them available through configuration management utilities like Microsoft Intune. In a multi-session environment, we recommend you don’t let users install software directly.
Consider which users should access which resources
Consider session hosts as an extension of your existing desktop deployment. We recommend you control access to network resources the same way you would for other desktops in your environment, such as using network segmentation and filtering. By default, session hosts can connect to any resource on the internet. There are several ways you can limit traffic, including using Azure Firewall, Network Virtual Appliances, or proxies. If you need to limit traffic, make sure you add the proper rules so that Azure Virtual Desktop can work properly.
Manage Office Pro Plus security
In addition to securing your session hosts, it’s important to also secure the applications running inside of them. Office Pro Plus is one of the most common applications deployed in session hosts. To improve the Office deployment security, we recommend you use the Security Policy Advisor for Microsoft 365 Apps for enterprise. This tool identifies policies that can you can apply to your deployment for more security. Security Policy Advisor also recommends policies based on their impact to your security and productivity.
Other security tips for session hosts
By restricting operating system capabilities, you can strengthen the security of your session hosts. Here are a few things you can do:
- Control device redirection by redirecting drives, printers, and USB devices to a user’s local device in a remote desktop session. We recommend that you evaluate your security requirements and check if these features ought to be disabled or not.
- Restrict Windows Explorer access by hiding local and remote drive mappings. This prevents users from discovering unwanted information about system configuration and users.
- Avoid direct RDP access to session hosts in your environment. If you need direct RDP access for administration or troubleshooting, enable just-in-time access to limit the potential attack surface on a session host.
- Grant users limited permissions when they access local and remote file systems. You can restrict permissions by making sure your local and remote file systems use access control lists with least privilege. This way, users can only access what they need and can’t change or delete critical resources.
- Prevent unwanted software from running on session hosts. You can enable App Locker for additional security on session hosts, ensuring that only the apps you allow can run on the host.