Cyber Security Best Practices for Azure Virtual Desktop

The scope of security requirements for Azure Virtual Desktop includes the overall hosting environment, the VDI applications and the device endpoints accessing them.

Microsoft offers overall recommendations that defines the scope of responsibilities between Microsoft and customers, and a baseline that defines a starting blueprint.

Enabling Azure Security Center provides a unified management platform to secure all your Azure resources including AVD. A wealth of tools and services proactively manage vulnerabilities and perform assessments of your overall AVD configuration to check whether you are compliant and implement preventive solutions to strengthen your overall security.

Cloud Security

Session hosts are virtual machines that run inside an Azure subscription and virtual network, and your Azure Virtual Desktop deployment’s overall security depends on the security controls you put on your session hosts.

Microsoft defines how to apply a Zero Trust architecture for AVD deployments, and the Governance and Compliance best practices for maintaining a secure environment. Individual practice areas include:

• Operating system: Enabling end point security for your session host virtual machines (VMs) protects your overall AVD deployment from malicious software. Tools like Windows Defender and ATP (Advanced Threat Protection) proactively address OS and application-level vulnerabilities, identifying problem spots through vulnerability assessments for server operating systems.
• Encryption: Encryption will protect your organisation’s session host OS and data disks from unauthorised users gaining access and copying them. The Bitlocker feature of Windows provides volume encryption for the OS and data disks of Azure virtual machines (VMs), and is integrated with Azure Key Vault to help control and manage disk encryption keys and secrets.
• Network Security: Regulating network traffic to the virtual machines affects their exposure to external threats and hackers. Configure a Network Security Group (NSG) to specify firewall rules used for your session hosts. Secure remote access features in Azure Virtual Desktop ensure that connections to virtual desktops are encrypted and authenticated. VPN integration and secure gateway services enhance the security of remote access for users working from various locations.
• Firewall: A firewall can control the traffic allowed to communicate in and out of your network, and scan traffic for malware and viruses. Microsoft offers Azure Firewall Service, but there are also 3rd party offerings available. The Azure Academy explains AVD network security using VNet, NSGs and Azure Firewall.

Application and Identity Security

Security practices to protect the applications and data AVD is used to access, including the Identity access methods.

AVD integrates with third-party data loss prevention (DLP) solutions like Microsoft Cloud App Security to identify and secure sensitive data.  By tying into Microsoft’s built-in security stack, additional monitoring, analytics, and access controls can be implemented to further strengthen data protection.

Users sign into their AVD sessions using their Azure AD credentials, so it’s critical to protect this identity process:

• Multi-Factor Authentication: Azure Virtual Desktop supports MFA, adding an extra layer of security to verify user identities. By requiring multiple forms of authentication, such as passwords, biometrics, or security tokens, MFA reduces the risk of unauthorized access to virtual desktops.
• Conditional Access: Along with MFA, Conditional Access enables your admin to select which specific users should be granted access based on which devices they are using, their location and how they sign in etc. This feature ensures that only authorized users with compliant devices can access virtual desktops.

Azure Virtual Desktop uses Azure role-based access control (RBAC) to control identities and to manage access. RBAC allows organizations to assign specific roles and permissions to users based on their responsibilities, so that organizations can limit access to sensitive resources and reduce the risk of unauthorized actions.

Endpoint Security

AVD provides a secure virtual environment for organizations to empower their workforce, while also better securing their activities.

A key benefit of AVD is the reduction of potential exposure of corporate and customer data because information can now be restricted to the cloud environment, which prohibits downloads to an employee’s computer, reducing the risk of data exfiltration by a disgruntled employee or a malicious actor.

End Point Security is a critical aspect of maintaining the integrity and confidentiality of data within this environment. By leveraging these security capabilities, organizations can protect their data, applications, and infrastructure from cyber threats and ensure a secure and productive remote work environment.

• Endpoint Detection and Response (EDR): Azure Virtual Desktop integrates with EDR solutions to monitor and respond to security incidents on endpoints. EDR capabilities enable real-time threat detection, investigation, and remediation to protect virtual desktops from advanced threats.
• Data Loss Prevention (DLP): With DLP policies in Azure Virtual Desktop, organizations can prevent the unauthorized transfer or sharing of sensitive data. DLP features help enforce data protection regulations and maintain compliance within the virtual environment.
• Antivirus and Antimalware Protection: Azure Virtual Desktop offers built-in antivirus and antimalware protection to safeguard virtual desktops from malicious software and cyber threats. Regular updates and scans help maintain a secure computing environment.
• Patch Management: Azure Virtual Desktop simplifies patch management by automating the deployment of security updates and patches to virtual desktops. Timely patching helps mitigate vulnerabilities and strengthens the overall security posture of the virtual environment.
• MDM: The identity security practices described above can be configured to enforce geofencing rules or restrict access only to known devices managed by an Azure-integrated Mobile Device Management (MDM) solution such as Intune.

In this tutorial Windows IT Pro describes Building a tamper-resilient endpoint with Microsoft Intune and Microsoft Defender: