Security is a top of mind for most enterprises today. With an increasing reliance on technology and widespread connectivity of systems and devices, organisations face daily security challenges and threats.
Companies must ensure that they protect themselves against malware and ransomware attacks, confirm the protection of sensitive data, and achieve regulatory compliance and business continuity.
One method of ensuring the security of your infrastructure and operations is to use Azure Virtual Desktop (AVD) to allow employees to access company resources and data fully and securely. When using Azure Virtual Desktop in this way, all the data and applications are hosted and stay inside the company’s internal network.
However, we must still ensure that the Azure Virtual Desktop components are secure. A big misconception is that the Azure resources you deploy are secure by default. This is certainly not the case, and it’s up to you as an IT administrator to ensure they are configured to meet your internal security requirements.
Below is a Nerdio reference architecture showing all the Azure components involved in an Azure Virtual Desktop deployment. You can view the original here – https://nmw.zendesk.com/hc/en-us/articles/10374272187159-Nerdio-Manager-for-Enterprise-Reference-Architecture
We will now walk through some of these components and offer some advice and best practices to ensure that your Azure & Azure Virtual Desktop environment is secure as can be.
Network Security + Azure Virtual Desktop
The first component we will cover is network security. When discussing networking in Microsoft Azure, we talk about VNETS (virtual networks), subnets and NICS. A NIC (Network Interface Controller) sits within a subnet and a subnet within a VNET.
When deploying Azure Virtual Desktop, it Is recommended to deploy session hosts within a separate subnet from the rest of your infrastructure. This allows you to apply specific firewall rules to that subnet used for your session hosts.
The primary method of locking down security at the network level is to use something called Network Security Groups, otherwise known as NSGs. NSGs are ACLs (Access Control Lists) which allow you to specify which traffic is allowed in and out of those network resources. NSGs can be applied at the VNET, subnet, or NIC level. To read more about NSG, please visit Microsoft’s documentation.
Additionally, consider a firewall within your Azure Virtual Desktop deployment. A firewall can control the traffic allowed to communicate in and out of your network. It can scan traffic for malware and viruses but also allow or deny traffic based on rules you can configure. Microsoft offers Azure Firewall Service, but there are also 3rd party offerings available.
Identity Security + Azure Virtual Desktop
From an attack vector perspective, identity is the easiest way to secure Azure Virtual Desktop deployments. Hackers will commonly attempt to gain access using brute force and guessing your employee’s username and password or spear-phishing emails that trick employees into providing login credentials.
To protect against these attacks, using something called Multi-Factor Authentication, or MFA, is highly advised. MFA protects identity by forcing the individual logging in to authorise the login attempt using secondary authentication. This type of authentication is usually a code generated by an authenticator app or can be something like a Fingerprint scanner or YubiKey.
As an enhancement to MFA, you can also use something called conditional access. Conditional access is a set of rules which you can configure to allow either deny or enforce MFA authentication to access your company resources. In this case, it would be to log onto Azure Virtual Desktop.
For example, we can create a conditional access policy to force MFA authentication if the logon attempts is outside your company’s internal network, and only allow it if the user is on a Windows 10 22H2 Device fully patched and has Bitlocker antivirus enabled.
Using MFA and conditional access in conjunction is probably your more secure way of protecting your company’s resources. We at Nerdio highly advsie you deploy both.
RBAC (Role-Based Access Controls) + Azure Virtual Desktop
RBAC, which stands for role-based access control, assigns the least privilege to administrators and end users. By default, Azure & Azure AD have several built-in roles to administer the environment. Giving an RBAC role to a person only if they need it is recommended. Global Administrator and Owner permissions should only be assigned to people you trust and those who need them to perform their job.
To further enhance RBAC, using something called Privileged Identity Management, otherwise known as PIM is advised. PIM is a service which allows you to elevate your permissions only when you need those permissions. This is a suitable security method because an attacker would only have limited permissions even if your credentials are compromised. –
Session Host Security + Azure Virtual Desktop
Another key area which to secure in an AVD environment is our session hosts. You should have a corporate security policy with group policy configuration settings or Intune settings. These apply minimum security standards to your workstations and devices in your corporate environment. These settings should also be used for your Azure Virtual Desktop session hosts.
It is also highly recommended to deploy endpoint protection to your session hosts. By default, Windows 10/11 comes with Windows Defender, which provides essential antivirus and malware protection. Youcan also use Windows Defender for Endpoint, which provides enhanced protection. You can use this capability at no added cost if you have an E3 or E5 license agreement.
Keeping your session hosts patched is also essential to protecting from attackers and ransomware attacks. Microsoft releases security patches every second Tuesday of the month (aka Patch Tuesday). Deploying these patches to your session hosts ASAP is highly recommended.
There are multiple ways of deploying security patches and feature updates, including Windows Update, MECM, Intune, Nerdio Scripted Actions and other thirdparty applications i.e. PatchmyPC. If you are using image-based Management to update your session hosts and an existing Nerdio customer or partner, automating the image update procedure with Nerdio Manager allows you to update the patches every month after Patch Tuesday.
It is also highly recommended to ensure that all applications on the AVD session hosts are also updated. They can contain security vulnerabilities if using older versions of software.
Endpoint Security + Azure Virtual Desktop
It is highly recommended to lock down the Endpoint from which you are accessing the Azure Virtual Desktop session. For the most secure environments, customers will use thin clients.T Thin clients ensure that the attack vector is as low as possible. It is common for thin clients to run a Linux operating system. This is generally more secure than a Windows endpoint.
Endpoints in an AVD environment could also be an employee’s home computer or device. These unmanaged devices may be susceptible to attack with out-of-date patches, older versions of Windows, and firewalls disabled.
You interact with the remote session host using your keyboard and mouse when accessing an Azure Virtual Desktop session. Ideally, you should not have access to local disk drives or USB devices plugged into the endpoint. These could contain malware or enable employees to copy corporate data onto local USB devices.
Using Nerdio, you can apply Global RDP Settings across all your host pools, which will lock down printers, the clipboard, and local drives. This greatly enhances security between the endpoint and the session host.
Monitoring and Auditing for Azure Virtual Desktop
So far, we have discussed how to lock down and protect our AVD infrastructure. Still, it is critical we monitor the environment from a security perspective so incidents can be responded to ASAP.
Azure has a service called the Azure Security Center. The Azure Security Center is an excellent way to have an overview of your security landscape. It will advise you on anything that needs to be improved upon. It will alert you to highly critical security misconfigurations and recommendations to resolve them.
Azure Sentinel is an Azure service that proactively monitors all AVD session hosts and Azure infrastructure and alerts you to suspicious activity. You can also create workbooks which can automatically perform actions on any device which it suspects is suspicious. Use Azure Log Analytics to collect data from your session hosts and feed that into Azure Sentinel.
Conclusion
As you can see, many ways exist to protect and secure your Azure Virtual Desktop environment. To protect your company and assets, deploying as many of these services as possible is highly recommended. Additionally, admins should review the security best practices with their internal security team to ensure that they are deploying the most secure deployment as possible.
