With the start of the pandemic last year, and the huge increase of working from home that it prompted, Azure Virtual Desktop (or Windows Virtual Desktop as it was then) became an important tool for providing a wide variety of applications to remote users. Ostensibly AVD is easy and quick to deploy, meaning environments can be spun up with very little delay. However, there is always a danger with working so swiftly that useful features and enhancements can be missed and those relevant to security are particularly important.
So, what are some of activities we can carry out to help secure our AVD deployments?
Use Multi-Factor Authentication and Conditional Access
As we have mentioned in many of these blogs before, MFA is one of the most important things you should do to protect your users from compromise and thus secure your environments. In combination with Conditional Access (CA), you can ensure that your users are prompted for multifactor authentication credentials more frequently when logging in to AVD.
Microsoft provide a good guide on how to set this up.
Avoid direct RDP access to hosts
As my colleague Richard Jackson pointed out in this blog, exposing RDP is a bad idea. If you do need direct access to hosts or your base image, then use just in time access or Azure Bastion.
Enable Azure Security Center and improve Secure Score
As an environment running under Azure, AVD can benefit from the recommendations regarding security vulnerabilities, compliance and best practice that Azure Security Center provides. Secure Score prioritizes recommendations so you will know which are the most effective at improving your security posture. We also recommend onboarding all aspects of AVD into Azure Defender (including any Key Vaults or associated Storage Accounts). This will ensure that each resource will receive the most up to date threat prevention technology.
Instead of providing users with a full Windows 10 desktop, and the wider attack surface that this entails, where possible use RemoteApps to reduce the attack surface to a minimum. Standalone applications which need little integration are the best for this scenario.
Limit network access
By default, AVD hosts can reach the Internet directly, so it is a good idea to limit this with an application aware firewall (Azure Firewall or a Network Virtual Appliance) or a proxy. Use network segmentation and firewalling internally too; this will make lateral movement and post-breach activity much harder to achieve.
Adaptive Network Hardening via Azure Defender provides recommendations to further harden the NSG rules. It uses a machine learning algorithm that factors in actual traffic, known trusted configuration, threat intelligence, and other indicators of compromise, and then provides recommendations to allow traffic only from specific IP/port tuples.
Finally, give users least privilege permissions to any resources that they need to access outside the AVD environment.
Enable endpoint protection
As with any deployment running on virtual machines it is important to secure those machines against malicious software, especially when access is being granted to a wide variety of users daily. In the Jisc cloud solutions team we use a deployment script that enrols new hosts into Azure Defender and thus automatically deploys Microsoft Defender for Endpoint onto those hosts allowing for vulnerability management and EDR.
When using FSLogix as a profile provider it is recommended to exclude VHD files from scanning.
Patch your operating system and applications
We all love patching! There are some options to patching the operating system in AVD. One method is to patch your base image and then re-deploy the hosts from the newly updated image. However, this might not always be practical or desirable so the hosts could be patched directly. Azure Automation Updates solution can go a long way to automating the OS patching of any virtual machines in your WVD environment with the use of start/stop scripts to control those hosts that are powered off overnight. If using this latter method, use your validation pools to check all is well before patching your production pools.
It is important to remember to keep your installed applications up to date as well and have a regular patch cycle for these too. Whichever method you use, keep your base image and hosts in sync to avoid missing patches should you redeploy hosts from an unpatched base image.
Profile containers and private endpoint
FSLogix is an excellent feature to use with AVD for the provision of user profiles. In conjunction with Azure Files to provide the required file shares you have a very nice, low-maintenance PaaS solution. To secure this part of your environment so that no public access is required, deploying a private endpoint to the storage account is an absolute must. There’s an excellent blog on Private Endpoint by my colleague Simon here.
Use the FSLogix rule builder
Whilst we are talking about FSLogix, its rule builder provides an excellent way to prevent user access to applications they should not be using. For example, you can ensure that only your authorised finance users can access your finance system. FSLogix rules integrate with Active Directory groups meaning you may already have groups in place that you can re-use to make life easier.
Configure inactivity and disconnection policies
Make sure to timeout users who are no longer using the system. This will optimize resources as well as reducing the risk of unauthorized log-ins. Obviously this requires a balance with the user experience; disconnecting users within an aggressive timescale will probably lead to many complaints!
It’s also a good idea to consider an inactivity lock-screen as you would for a physical PC.
Manage administrative rights
As with all machines to which users have access, it is wise to not give them administrative rights or allow them to install software directly.
Use process automation
In order to make sure any administrative processes are completed in line with design and security standards, automate as much as possible. For example, not only use ARM templates and/or scripting for the initial environment deployment but also for tasks such as deploying new hosts to pools or new storage accounts for profile containers, base image access for deployments, etc.
As you can see, there are many security considerations and solutions when deploying AVD initially and it is a good idea to audit any existing environments to ensure you have as much in place as possible to ensure AVD is a safe and productive working environment for your organisation.
Jisc’s experienced cloud solutions team can support and advise on all aspects of Azure Virtual Desktop design, deployment and management (and indeed Amazon AppStream). Please get in touch if you want to know more.