Categories
Cloud advice

Azure Virtual Desktop – Secure and Scalable with Entra ID and Intune

This blog post is based on the presentation given by Dave Cook in our Jisc Cyber Community in April 2024.

Who is this blog aimed at: IT Teams who administer and are responsible for Cloud estates and the security of them.

What is the purpose of the blog: To help member/customer IT teams understand the impact and context of Azure Virtual Desktop in relation to how it can help mitigate
cyber-attacks.

Reading time: circa 3 minutes.

The education sector is very much a target for cyber-attacks and there have been some notable breaches over the last couple of years. Often, multi-factor authentication has not been deployed for students and, if their credentials are compromised and they use a VDI solution, then this solution can then be used to pivot the attack and begin lateral movement. We have also seen VDI exploited as a means for privilege escalation.

A secure AVD implementation has not always been possible as a couple of enabling technologies needed to development from Microsoft first. These are Entra ID Kerberos and Intune.

With these enablers now in place, organisations have the option to deploy a secure AVD environment using best-practice identity (Entra Conditional Access), platform (Azure) and host(OS) security and networking.

Entra ID Kerberos

This allows hybrid users to access Azure file shares using Kerberos authentication, using Entra ID to issue the Kerberos tickets to access the file share with the SMB protocol. No line of sight to domain controllers is required. This is perfect for user profile storage.

Pre-requisites:

Windows 11 Enterprise/Pro single or multi-session.
Windows 10 Enterprise/Pro single or multi-session versions 2004 or later with latest cumulative update installed.
Clients must be Entra ID joined or Entra ID hybrid joined.

Notes:

Use of ACLs and file-level permissions still requires unimpeded network connectivity to an on-premises (or cloud based) domain controller so this method is not suitable to replace shared drives.

At present this feature does not support cloud-only accounts; user accounts must be hybrid.

Intune

This frees us from the need to use Gold Images; software can be rapidly redeployed to hosts without the need for the hosts themselves to be redeployed. So, for example, organisations can react to zero-day exploits rapidly with minimum disruption to users. Compliance policies can also be applied if this is a requirement.

Notes:

Use dynamic Entra ID groups to ensure that all your AVD hosts are captured when they are created.

BitLocker encryption is not set from Intune; this needs to be done using the native Azure Virtual Machine method with Key Vault.

Make sure to filter on the Intune policies that do apply to AVD to ensure supported behaviour.

As always, distinguish between device and user groups for consistent behaviour.

It is recommended to add a scope for the AVD devices.

Security Hardening

There are several other technologies we can use to improve the security of our AVD deployments.

Identity

  • Holistic Conditional Access – look for threats and react!
  • PIM Groups – Privileged Identity Management groups to provide JIT elevation of roles.
  • Enforce universal MFA
  • Don’t allow local administrators
  • Deploy Identity Protection

Platform

  • Split VNET (Student/Staff) – isolate staff and student networking if possible.
  • NAT Gateway – use to have a single outbound IP address for all hosts.
  • JNRS for DNS traffic – filter outbound traffic at the DNS level.
  • Azure policy – enforce regions / tagging / instance size and security.
  • Auditing – switch on to track changes in your platform.
  • NSG/ASG/UDR – network isolation and traffic filtering in conjunction with:
  • Azure Firewall/NVA – next-generation protection compared with NSG/ASG
  • Session Host Access – use Azure Bastion for local access.
  • Alerting – make AVD part of your monitoring and alerting scope.

Host

  • MDM – Intune
  • Do not domain join the host, no need to allow networking to domain controllers (aside from typically DNS)
  • Only allow traffic to services/applications required, least permissive networking both east/west and north/south
  • Confidential VM’s – Hardware isolation/Dedicated TPM/Disk Encryption enforced/ Immutable logs to prevent malware being able to tamper BUT
    • Can be more expensive as encrypted disks cannot be compressed.
    • Longer to spin up.
    • Sparse resource regionally – UK South is the best bet.
    • No accelerated Networking.
  • Adaptive App Control/AppLocker – block applications that do not need Admin account to install.
  • FSLogix NTFS permissions – FSLogix gives users Elevated SMB User permissions – you need to go in and edit the ACL’s on the share to prevent users being able to browse other FSLogix drives.
  • OS Hardening (CIS Benchmark) – Microsoft Defender for Cloud/Defender for Endpoint.
  • PowerShell lockdown (in line with Jisc PS best practice).
  • Automated Updates – native to Azure.
  • Cyber Essentials compliant technical controls – use Intune.
  • Antivirus and EDR.
  • Disk Encryption.
  • Ephemeral Disks.

User Hardening

Secure platform devices are great in and of themselves but if your user accounts are not secure and well managed then the risks are still very much in play.

The primary consideration for user accounts, as always, is to use MFA. Think about hiding the C: drive from users (obviously don’t block it – OneDrive will break if you block C:\). Also consider whether a full desktop experience is really needed, or can RemoteApp now be used (especially as this is now integrated with OneDrive.) As with the hosts, remember AppLocker/Adaptive Application Control.

FSLogix App Masking is incredibly useful in only allowing applications to be seen and used by those users who need to.

It also goes without saying that UAC (User Account Control) is a must, end users should not be local administrators.

Performance

To cover the availability considerations of your security model it’s also important to consider performance.

If you can consider upgrading from Windows 10 to Windows 11. This may need extra testing for legacy applications. Use testing groups when doing a roll-out of new software – try to avoid a big bang approach. If you have computing/CAD students – consider Azure Labs instead as this is more easily managed and easier to control costs of high CPU/GPU instances. As always use tagging to track your costs. Spend some time creating and tuning a scaling plan to optimize the times that hosts spin up and down. Don’t assume usage patterns will stay the same so any plan needs to be managed on an ongoing basis. Keep on top of FSLogix and AVD Broker updates – these often deliver performance optimizations.

Notes from the Field

  • The Enterprise Application registered in Entra ID for FSLogix shares needs to be authorised.
  • Entra ID Join AVD Hosts as opposed to hybrid join/domain join
  • Use hybrid accounts (AD-synced) only for best experience.
  • The use of FSLogix needed for AVD support from Microsoft.
  • Azure RBAC is now the place to set local administrator privileges.
  • AVD is a quick way to highlight legacy software within your environment!
  • Hosts will onboard automatically into Defender for Endpoint via Defender For Cloud.
  • Bastion is worth the investment for direct logging on to hosts – but ensure you are aware of what access you are allowing.

We hope this gives to a few pointers as to how you can make your VDI solution using AVD more secure. Jisc Cloud Services can help you with AVD either by auditing your existing infrastructure or helping you specify, design and deploy a new one.

Leave a Reply

Your email address will not be published. Required fields are marked *