It's simple to spin up a VM host for WVD, but selecting and configuring proper security controls takes more time and effort. After some significant deployments of Windows Virtual Desktop, our engineers share emerging best practices for securing the hosts, users, network, and data.
Secure the Host1. Keep current with patching. It was recently announced that WVD VMs can be updated via Microsoft Endpoint Manager (FKA Intune), which can automate system updates. Or some prefer to redeploy a fresh image each month from Microsoft’s gallery, automatically rebuilding each VM with an updated, secured image.
2. Use Security Baselines, Microsoft’s recommended configuration settings that improve the OS’s security posture. Instead of the out of the box Windows defaults, these baselines are secured based on feedback from Microsoft security engineering teams, product groups, partners, and customers. The security baselines are included in the Security Compliance Toolkit (SCT), which can be downloaded from the Microsoft Download Center.
3. Don't grant your users admin access to virtual desktops or allow them to install software directly. If they need software packages, they can be made available through configuration management utilities like Microsoft Endpoint Manager.
As another layer of malware / ransomware protection, keep users or adversaries from installing apps on the Windows OS with Defender Application Control. This whitelist prohibits anything else from being installed on the machine, including unknown/disallowed drivers. Users should be informed about of their limited capability in this environment. When they want to install some app or service that is not on the approved list, they will call the help desk.4. For A/V protection, Microsoft Defender is enabled on Azure VMs as the default. For next-gen Event Detection and Response capabilities, add Defender for Endpoint. If something out of the ordinary occurs on the host, alerts and/or auto-remediation will occur. Each VM OS would use a Defender for Endpoint (formerly Defender ATP) license. To estimate the additional licensing costs, consider that each multisession VM host can support up to 25 users (as of Oct 2020).
Secure Users’ Identity5. Multifactor Authentication is recommended for users accessing WVD. Azure AD has a free tier which could work, but it’s rather coarse (on/off for all situations). For the added flexibility of Conditional Access controls, assign users a license that includes Azure Active Directory Premium.
Secure the Network
6. Administrators needn't do anything to enable Windows Virtual Desktop’s “reverse connect” protocol, which automatically blocks inbound traffic. This means that no inbound firewalls need to be opened.For extra protection in your Azure IaaS environment, use Network Security Groups. These Access Control Lists can be used to set limits on which subnets/ports can access the WVD VMs. Use Service Tags in your outbound NSGs so that when Microsoft makes changes to their data centers’ IP addresses, your configurations needn’t change.
If you plan to enable access for users directly from the Internet, consider Azure Firewall to properly secure your VMs. The same concept of NSG’s service tags exists, with Firewall, but they’re configured as FQDN Tags.
Secure the Data7. To minimize data loss, some organizations keep users from downloading/saving work files to a home PC or other non-work devices. WVD’s policy settings can allow or block redirecting drives, printers, and USB devices to a user's local device in a remote desktop session. Evaluate your security requirements and decide if these features ought to be disabled or not.
Similarly, limit users’ permissions for accessing local and remote file systems. For instance, grant them only access to save files to their own OneDrive for Business folder. This way, users can only access what they need and can't change or delete critical resources.
Narrow the Surface Area8. Instead of presenting the entire Windows desktop, it’s often preferred to simply publish specific apps. This is done by simply creating an Application Group and assigning users to the apps in this group. Using this RemoteApp mode doesn’t expose the entire Windows environment to the users, reducing risk.
9. Set time limits to:
Lock screens on users’ idle sessions. WVD’s settings can lock a machine's screen during idle time and require authentication to unlock it. This can prevent unwanted system access by passersby.
For active but idle sessions. If a user is idle for a set amount of time, the session can be set to disconnect. When the user returns, they will reconnect and continue where they left off with no data loss.
For disconnected sessions. If a user is idle for an even longer time, WVD can log the user off and terminate the session. This saves costs by allowing an idle VM to be shut down. Be advised that disconnecting long running applications like CAD or calculations that continue to run if a user is idle can lose data and may even require restarting the computer.
Monitor and Audit10. Use Azure Security Center to secure your subscriptions, virtual machines, key vaults, and storage accounts. Even the free Security Center Basic provides suggested tasks/changes to make the VM more secure, while the paid (Standard) version allows Just-in-Time access for administrative sessions and other advanced controls.
Whether the VMs are already in place or are yet to be built, following these best practices will harden your WVD environment and lower your chance of user or adversarial-induced problems. Save headaches later by planning or improving security configurations now.
To keep abreast of changes and other best practices of WVD and other Microsoft security tools, follow us on twitter @enablingtechco or subscribe to this blog at the upper left.