With the unprecedented and sustained rise in remote working in the UK and the rest of the world over the last year, IT security is more of a hot topic than ever. Not only has Azure Virtual Desktop made Virtual Desktops accessible and affordable for all businesses, state-of-the-art security gives you peace of mind that your IT infrastructure can be set up with a secure foundation from the outset.
This guide shows the IT lead in your organisation how to set up Azure Virtual Desktop securely, to keep your IT environment and data in safe hands. You may be looking for a virtual desktop or remote app solution. Alternatively, you may have already got Azure WVD set up and want to ensure security best practice from day one.
The article follows on from our blog posts on How to optimise the cost and performance of AVD and Eight tips on how to manage Azure Virtual Desktop (WVD) and is the last in our five-part series on the set up and management of Azure Virtual Desktop (formerly Azure WVD).
If you’d like to understand how to optimise Azure Virtual Desktop for your business including best practice in security, contact us for a free discussion. We are a Microsoft Azure gold partner and one of our certified Azure consultants will be happy to help.AVD - Book your free consultation
Security is a continuous process of ensuring that you have robust checks and balances in place to protect your AVD environment. In this blog we give you an overview of the four key areas to look at:
- Managing identity and devices
- Protecting session host virtual machines from external threats
- Addressing your organisation’s data and information security
- Monitoring security on an ongoing basis
1. Managing identity and devices
Users always sign into their AVD sessions using their Azure AD credentials, so it’s vital that you protect this identity. You’ll also need to consider which devices they’ll be using to connect to their sessions.
You can protect your users’ ID and control the devices they can use to access the virtual desktops in two ways – by enabling multi-factor authentication (MFA) for users in Azure AD, then by using Conditional Access to apply MFA for the Azure WVD client itself. This mitigates risk and significantly improves overall AVD security.
- MFA: enabling MFA for all users and admins in AVD improves the overall security of your AVD deployment.
- Conditional Access: along with MFA, Conditional Access enables your admin to select which specific users should be granted access based on which devices they are using, their location and how they sign in etc.
For further guidance, these Microsoft tutorials explain how to setup MFA and Conditional Access when using Azure Virtual Desktop. This video from The Azure Academy also provides useful guidance about setting up MFA and conditional access.
2. Protecting session host virtual machines from external threats
Having protected the identity of the users accessing the AVD service, it is important to protect the session hosts themselves including your operating system, applications and network.
Use Network Security Groups and firewalls
The virtual machines and virtual network deployed as part of your AVD deployment are key endpoints and securing these determines the overall effectiveness of your security. The inbound and outbound networking rules and regulation of your overall network traffic to the virtual machines affects their exposure to external threats and hackers.
You should at least configure a Network Security Group (NSG) and attach it to the subnets that your Azure Virtual Desktop session hosts are deployed in to protect them.
NSGs can contain multiple inbound and outbound security rules. As described in Microsoft’s article, Network Security Groups, these enable you to filter traffic by source and destination IP address, port, and protocol. Therefore, your NSG should contain the outbound rules required for Azure WVD and detailed in this Required URL list.
An NSG is free and is simply an access control list (ACL), it is not intelligent like a Firewall. However, if you need application rules and web filtering, you can configure all the AVD traffic to go through a firewall using a route table.
This could be your own, on-premise firewall if you’re connecting to your Azure environment across a site-to-site VPN or a network virtual appliance (NVA) in Azure. There are a range of third-party solutions in Azure Marketplace or Azure Firewall, which provides managed, cloud-based network security and is a fully stateful firewall service.
See the following video from The Azure Academy on AVD network security using VNet, NSGs and Azure Firewall as well as this Microsoft article for more information on using Azure Firewall to protect AVD deployments.
Protect against operating system, application and software vulnerabilities
Identifying malicious software and software vulnerabilities within your operating system (OS) and applications is the key to proactive, preventive security measures to keep your Azure Virtual Desktop environment safe.
Enabling end point security for your session host virtual machines (VMs) protects your overall AVD deployment from malicious software. Tools like Windows Defender and ATP (Advanced Threat Protection) proactively address OS and application-level vulnerabilities, identifying problem spots through vulnerability assessments for server operating systems. Read the deployment guide for Microsoft Defender Antivirus in a virtual desktop infrastructure (VDI) environment to configure your VMs for optimal protection and performance.
Apply patches and security updates
Regular patches and security updates to your OS and applications ensure that your Azure WVD environment is well protected.
You can regularly replace the session hosts using a new patched image as we describe in our blog post, Eight tips on how to manage Azure Virtual Desktop (WVD) . This also lets you update or add any new applications. Alternatively, as the following Microsoft article explains you can use Microsoft Endpoint Configuration Manager to configure automatic updates for Windows 10 on your AVD session hosts.
Contact us for a free discussion with our certified Azure Virtual Desktop consultants for further guidance on all the security features that come with AVD.
3. Addressing your organisation’s data security
It is vital to consider the company data that users are able to access via their virtual desktop sessions and whether this is secure.
Control how users copy and transfer data
You can protect your organisation’s data from being copied or transferred to local devices and disable any features which compromise data security. This can be done by controlling access and setting the RDP properties in the Azure WVD host pool from Azure WVD to the following external devices:
- local drives
- USB drives
Control user access in Azure Virtual Desktop sessions
You can leverage Azure AD DS or Windows AD domain services based on your deployment model and enforce group policies that regulate which actions are allowed by your AVD users. Below are just some of the policies that you can apply according to your requirement:
- Prevent user access to Command Prompt and the Control Panel
- Prevent users from installing additional software
- Restrict user access to session host disk drives to avoid accidental deletion or corruption of critical resources
- Apply the screen lock and idle-session threshold setting
- Enforce screen capture lock
Encrypt your VM disks
Encryption will protect your organisation’s session host OS and data disks from unauthorised users gaining access and copying them.
For disks on session host VMs, you can achieve this with Azure Disk Encryption. Using the Bitlocker feature of Windows, it provides volume encryption for the OS and data disks of Azure virtual machines (VMs). It is also integrated with Azure Key Vault to help control and manage disk encryption keys and secrets. This quick-start tutorial shows you how to enable Azure Disk Encryption for session host VMs disks using Azure Key Vault.
4. Monitoring Azure Virtual Desktop security on an ongoing basis
Securing your environment isn’t something that you can do once and then forget about. As threats change, you’ll need to continue monitoring and evolving the security for your AVD environment accordingly.
Azure Security Center
Enabling Azure Security Center provides a unified management platform to secure all your Azure resources including WVD. A wealth of tools and services proactively manage vulnerabilities and perform assessments of your overall Azure WVD configuration to check whether you are compliant and implement preventive solutions to strengthen your overall security. The following quick-start tutorial shows you how to setup Azure Security Center.
Audit Logs collection and Azure Monitor
It is recommended to enable audit log collection and leverage Azure monitor. Azure Monitor helps to identify any issues in operations of the infrastructure, including checking your applications maps, network latency and error exceptions which indicate security issues and authentication errors. Find out more about Azure Monitor and using Log Analytics for the Diagnostic feature in this article.
There is not a one-off answer to IT security, it must evolve over time to proactively respond to ever-changing security threats. For more useful insights from Microsoft read the following articles on Security Best Practises and the Azure Security Baseline for Windows WVD.
Contact us for a free, no-obligation discussion with one of our certified Azure consultants. They will guide you on how to set up and manage Azure WVD with all the right security protocols in place from the outset.
When you work with Compete366 to implement Azure Virtual Desktop, we provide free guidance on the Azure and Microsoft Office 365 elements including how to optimise AVD for cost and performance. The only IT knowledge you’ll need to implement and manage this environment are traditional desktop management skills.
Want to keep in touch?
If you’ve enjoyed reading this blog, then sign up to receive our monthly newsletter where we share new blogs, technical updates, product news, case studies, company updates, Microsoft and Cloud news.
We promise that we won’t share your email address with other business or parties, and will keep your details safe. You can choose to unsubscribe at any time.Newsletter Sign Up