Security is an important factor in many organization’s cloud strategies and a reason why many choose Microsoft’s public cloud. Inheriting its security posture from Azure itself, Azure Virtual Desktop (AVD) offers excellent foundations for a highly secure IT environment and incorporates the full set of security services. When a user logs into AVD, Azure creates a secure reverse connection, from Azure to the endpoint device. Additionally, all data transferred within Azure and is encrypted in flight and at rest.
But the inherent security positives of Azure and services like AVD aside, organizations can and should take extra steps to harden their security environment. IT teams can architect an AVD environment that is highly secure by leveraging native Azure technologies along with Nerdio Manager to complete the six steps below in this article.
Properly Configuring Nerdio Manager for Enterprise for a Highly Secure Environment
But wait…some of you may undoubtedly be asking, “but isn’t Nerdio Manager secure out-of-the-box?”
Yes. By default, Nerdio Manager for Enterprise is protected with Azure AD (Active Directory) authentication, including multifactor authentication (MFA) and conditional access. It is accessible from any internet location and is an Azure-managed application installed into a customer’s own tenant.
That all in mind, when deploying Nerdio, it is important to implement full security across the board and properly configure it to avoid any security vulnerabilities.
When Nerdio Manager for Enterprise is installed for the first time, the solution does not configure the detailed security configuration because each environment has different requirements and configurations. Additionally, a number of the security configurations require a “New” empty subnet. Many companies have restrictions or policies in place to require approval for network/subnet additions.
Enterprises can easily configure these post-installation and take the actions below to make their AVD environments highly secure. These actions all seek to eliminate unauthorized individuals from accessing sensitive databases, networks, access keys, etc.
6 Actions to Make Your AVD Environment Highly Secure
1. Restrict Access to the Nerdio App Service
- Locate Nerdio app (similar to nmw-app-xxxxxxx)
- Settings -> Configuration -> General Settings -> Networking -> Inbound Traffic -> Access Restrictions
- Locate Nerdio app (similar to nmw-app-xxxxxxx)
- Settings -> Configuration -> General Settings -> Networking -> Inbound Traffic -> Private Endpoints
2. Remove FTP Services from Nerdio App Service
- Locate Nerdio app (similar to nmw-app-xxxxxxx)
- Settings -> Configuration -> General Settings ->
- On the FTP state selector, change the option from All allowed (default) to Disabled.
3. Set Up Storage Account Private Link
- The most common misconfiguration we see today is setting up a Private Link for a storage account and not configuring App Service for vNet integration on the web app. Without setting up vNet integration on the web app, Nerdio cannot manage the MSIX and FSLogix storage, so it is required to complete this step.
4. Set Up Key Vault Private Link
5. Automate Hybrid Runbook Worker to Access Key Vault
- Done via Nerdio Scripted Action
6. Restrict Azure SQL Access
- Add the App Service’s outbound IP addresses to the Azure SQL Server’s firewall.
- Route traffic from the App Service using a vNet.
AVD Security Maintenance and Management Considerations
It is very important that AVD deployments are reviewed every six months for changes in security posture. Organizations should verify their current security and have it well documented and logs in place. It is also essential to review our Enterprise (Nerdio Manager for Enterprise) Release Notes, on a regular basis, for any new security updates or resolved security issues.