Best Practice: Enabling Azure Virtual Desktop (AVD) Security in Remote Settings
With the sustained rise in remote work over the last two years, security is more important than ever. Azure Virtual Desktop (AVD) is a managed virtual desktop service that includes many cyber security capabilities for keeping your organization safe. The service is accessible and affordable for all businesses and has many built-in advanced security features, such as Reverse Connect, which reduces the risk involved with having remote desktops accessible from anywhere. State-of-the-art AVD security will give your organization peace of mind and a secure cloud infrastructure.
Security is an ongoing process of ensuring that you have measures in place to protect your AVD environment. Proper setup of AVD security is important when working remotely. Whether you are looking for a remote application solution, or have already deployed Azure AVD, you want to ensure best security practices.
Securing Identities and devices
End-users will always sign into their AVD sessions using their Azure AD credentials, so it’s vital that you protect this identity. You’ll also need to consider which devices your employees will be using to connect to their sessions. You can protect the identity of your end-users and control the devices being used to access the virtual desktops in two ways:
- Multi-factor authentication (MFA): Enabling MFA for all users and admins in AVD improves the overall security of your AVD deployment.
- Conditional access: Along with MFA, conditional access enables your admin to select which specific users should be granted access based on which devices they are using, their location and how they sign in etc.
Securing Session Hosts and Virtual Machines
The virtual machine and virtual network used as part of your AVD security deployment are crucial in determining the overall effectiveness of your security. Inbound and outbound traffic to your virtual machine has a direct impact on its exposure to external threats and hackers. Configuring a network security group (NSG) and attaching it to the subnets being deployed by your AVD session hosts is a great way to protect them.
An NSG is free and can contain multiple inbound and outbound security rules that enable you to filter traffic by source and destination IP address, port and protocol. It is important to note that an NSG is not intelligent like a firewall. If you need rules for applications and web filtering, you can configure all the AVD traffic to go through a firewall using an Azure route table. Your NSG should contain the outbound rules required for Azure AVD.
AVD Security for OS and Applications
Identifying malicious software and software vulnerabilities within your operating system (OS) and applications is the key to proactive security measures to keep your AVD environment safe. Enabling endpoint security for your session host virtual machines (VMs) protects your overall AVD deployment from malicious software. Tools like Windows Defender and ATP (Advanced Threat Protection) proactively address OS and application-level vulnerabilities. Regular patches and security updates to your OS and applications ensure that your Azure AVD environment is well-protected.
AVD Security for Your Organization
It is vital to consider the company data that users are able to access via their virtual desktop sessions. You can protect your organization’s data from being copied or transferred to local devices and disable any features that compromise data security. This can be done by controlling access and setting the RDP properties in the Azure AVD host pool from Azure AVD to the following external devices:
- Local Drives
- USB drives
You can leverage Azure AD domain services (DS) or Windows AD DS based on your deployment model and enforce group policies that regulate which actions are allowed by your AVD users. Such actions prevent users from accessing things like the control panel, command prompts, disk drives, screen lock or screen capture and restricts the ability to install additional software.
In addition to protecting company data, you can encrypt your VM disks to protect your organization’s session host, operating system and data disks from unauthorized users gaining access. For disks on session host VMs, you can achieve this with Azure Disk Encryption. Using the Bitlocker feature of Windows, it provides volume encryption for the OS and data disks of Azure virtual machines. It can also be integrated with Azure Key Vault and manage disk encryption keys and secrets.
Securing your environment isn’t something that you can do once and then forget about. As threats change, you’ll need to continue monitoring and evolving the security for your AVD environment accordingly.
Additional Azure Security Products
Azure Security Center / Azure Sentinel / Log Analytics
Enabling Azure Security Center provides a unified management platform to secure all your Azure resources including AVD. A wealth of tools and services proactively manage vulnerabilities and perform assessments of your overall Azure AVD configuration to check whether you are compliant and implement preventive solutions to strengthen your overall security.
Azure Sentinel Audit Logs collection and Azure Monitor
It is recommended to enable audit log analytics collection and leverage Azure monitor. In connection with Azure Monitor, Log Analytics and Azure Sentinel you can not only monitor the AVD Instance but proactively identify threats and issues before they happen.