Azure Security Baseline for Azure Virtual Desktop

The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure.

The content is grouped by the security controls defined by the Azure Security Benchmark and the related guidance applicable to
Azure Virtual Desktop.

Network Security

NS-1: Implement security for internal traffic
Guidance: You must create or use an existing virtual network when you deploy virtual machines to be registered to Azure Virtual Desktop. Ensure that all Azure virtual networks follow an enterprise segmentation principle that aligns to the business risks. Any system that could incur higher risk for the organization should be isolated within its own virtual network and sufficiently secured with either a network security group or Azure Firewall.

Use Adaptive Network Hardening features in Microsoft Defender for Cloud to recommend network security group configurations which limit ports and source IPs with reference to external network traffic rules.

Based on your applications and enterprise segmentation strategy, restrict or allow traffic between internal resources based on network security group rules. For specific well-defined applications (such as a 3-tier app), this can be a highly secure “deny by default, permit by exception” approach. This might not scale well if you have many applications and endpoints interacting with each other. You can also use Azure Firewall in circumstances where central management is required over a large number of enterprise segments or spokes (in a hub/spoke topology).

For the network security groups associated with your virtual machine (that are part of Azure Virtual Desktop) subnets, you must allow outgoing traffic to specific endpoints.

NS-2: Connect private networks together
Guidance: Use Azure ExpressRoute or Azure virtual private network to create private connections between Azure datacenters and on-premises infrastructure in a colocation environment. ExpressRoute connections do not go over the public internet, offer more reliability, faster speeds and lower latencies than typical internet connections.

For point-to-site and site-to-site virtual private networks, you can connect on-premises devices or networks to a virtual network using any combination of virtual private network options and Azure ExpressRoute.

Use virtual network peering to connect two or more virtual networks together in Azure. Network traffic between peered virtual networks is private and stays on the Azure backbone network.

NS-4: Protect applications and services from external network attacks
Guidance: Use Azure Firewall to protect applications and services against potentially malicious traffic from the internet and other external locations. Protect your Azure Virtual Desktop resources against attacks from external networks, including distributed denial of service attacks, application specific attacks, unsolicited and potentially malicious internet traffic. Protect your assets against distributed denial of service attacks by enabling DDoS standard protection on your Azure Virtual Networks. Use Microsoft Defender for Cloud to detect misconfiguration risks related to your network related resources.

Azure Virtual Desktop is not intended to run web applications, and does not require you to configure any additional settings or deploy any extra network services to protect it from external network attacks targeting web applications.

NS-6: Simplify network security rules
Guidance: Use Azure Virtual Network service tags to define network access controls on network security groups or an Azure Firewall configured for your Azure Virtual Desktop resources. You can use service tags in place of specific IP addresses when creating security rules. By specifying the service tag name (For example: AzureVirtualDesktop) in the appropriate source or destination field of a rule, you can allow or deny the traffic for the corresponding service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change.

Identity Management

For more information, see the Azure Security Benchmark: Identity Management.

IM-1:  Azure Active Directory as the central identity and authentication system

Guidance: Azure Virtual Desktop uses Azure Active Directory (Azure AD) as the default identity and access management service. You should  Azure AD to govern your organization’s identity and access management in:

Microsoft Cloud resources, such as the Azure portal, Azure Storage, Azure Virtual Machine (Linux and Windows), Azure Key Vault, PaaS, and SaaS applications.

Your organization’s resources, such as applications on Azure or your corporate network resources.

Securing Azure AD should be a high priority in your organization’s cloud security practice. Azure AD provides an identity secure score to help you assess identity security posture relative to Microsoft’s best practice recommendations. Use the score to gauge how closely your configuration matches best practice recommendations, and to make improvements in your security posture.

Azure AD supports external identities which allow users without a Microsoft account to sign-in to their applications and resources with their external

IM-2: Manage application identities securely and automatically

Guidance: Azure Virtual Desktop supports Azure managed identities for non-human accounts such as services or automation. It is recommended to use Azure managed identity feature instead of creating a more powerful human account to access or execute your resources.

Azure Virtual Desktop recommends using Azure Active Directory (Azure AD) to create a service principal with restricted permissions at the resource level to configure service principals with certificate credentials and fall back to client secrets. In both cases, Azure Key Vault can be used to in conjunction with Azure managed identities, so that the runtime environment (such as, an Azure Function) can retrieve the credential from the key vault.

    IM-3: Use Azure AD single sign-on (SSO) for application access

    Guidance: Azure Virtual Desktop uses Azure Active Directory (Azure AD) to provide identity and access management to Azure resources, cloud applications, and on-premises applications. This includes enterprise identities such as employees, as well as external identities such as partners, vendors, and suppliers. This enables single sign-on (SSO) to manage and secure access to your organization’s data and resources on-premises and in the cloud. Connect all your users, applications, and devices to Azure AD for seamless secure access with greater visibility and control.

      Privileged Access

      PA-3: Review and reconcile user access regularly

      Guidance: Azure Virtual Desktop uses Azure Active Directory (Azure AD) accounts to manage its resources, review user accounts and access assignment regularly to ensure the accounts and their access are valid.

      Use Azure AD access reviews to review group memberships, access to enterprise applications, and role assignments. Azure AD reporting can provide logs to help discover stale accounts.

      In addition, Azure Privileged Identity Management can also be configured to alert when an excessive number of administrator accounts are created, and to identify administrator accounts that are stale or improperly configured.

      Some Azure services support local users and roles which not managed through Azure AD. You will need to manage these users separately.

      Guidance: Secured and isolated workstations are critically important for the security of sensitive roles, such as, administrators, developers, and critical service operators. Use highly secured user workstations and/or Azure Bastion for administrative tasks.

      Use Azure Active Directory (Azure AD), Microsoft Defender Advanced Threat Protection (ATP), or Microsoft Intune to deploy a secure and managed user workstation for administrative tasks. The secured workstation can be centrally managed to enforce secured configuration including strong authentication, software and hardware baselines, restricted logical and network access.

        PA-7: Follow just enough administration (least privilege principle)

        Guidance: Azure Virtual Desktop is integrated with Azure role-based access-control (Azure RBAC) to manage its resources. Azure RBAC allows you to manage Azure resource access through role assignments. You can assign these roles to users, groups service principals and managed identities. There are pre-defined built-in roles for certain resources, and these roles can be inventoried or queried through tools such as Azure CLI, Azure PowerShell or the Azure portal.

        The privileges you assign to resources with Azure RBAC should always be limited to the ones as required by the roles. This complements the just in time (JIT) approach of Privileged Identity Management (PIM), with Azure Active Directory (Azure AD), and should be reviewed periodically.

        PA-8: Choose approval process for Microsoft support

        Guidance: In support scenarios where Microsoft needs to access customer data, Azure Virtual Desktop supports Customer Lockbox to provide an interface for you to review and approve or reject customer data access requests.

          Data Protection

          DP-1: Discovery, classify and label sensitive data

          Guidance: Discover, classify, and label your sensitive data so that you can design the appropriate controls. This is to ensure sensitive information is stored, processed, and transmitted securely by the organization’s technology systems.

          Use Azure Information Protection (and its associated scanning tool) for sensitive information within Office documents on Azure, on-premises, Office 365 and other locations.

          You can use Azure SQL Information Protection to assist in the classification and labeling of information stored in Azure SQL Databases.

          DP-2: Protect sensitive data

          Guidance: Protect sensitive data by restricting access using Azure Role Based Access Control (Azure RBAC), network-based access controls, and specific controls in Azure services (such as encryption in SQL and other databases).

          To ensure consistent access control, all types of access control should be aligned to your enterprise segmentation strategy. The enterprise segmentation strategy should also be informed by the location of sensitive or business critical data and systems.

          Microsoft treats all customer content as sensitive and guards against customer data loss and exposure. To ensure customer data within Azure remains secure, Microsoft has implemented some default data protection controls and capabilities.

            DP-3: Monitor for unauthorized transfer of sensitive data

            Guidance: Monitor for unauthorized transfer of data to locations outside of enterprise visibility and control. This typically involves monitoring for anomalous activities (large or unusual transfers) that could indicate unauthorized data exfiltration.

            Advanced Threat Protection (ATP) features with both Azure Storage and Azure SQL ATP can alert on anomalous transfer of information, indicating what might be unauthorized transfers of sensitive information.

            Azure Information protection (AIP) provides monitoring capabilities for information that has been classified and labeled.

            Use data loss prevention solutions, such as the host-based ones, to enforce detective and/or preventative controls to prevent data exfiltration.

              DP-4: Encrypt sensitive information in transit

              Guidance: To complement access controls, data in-transit should be protected against ‘out of band’ attacks (e.g. traffic capture) using encryption to ensure that attackers cannot easily read or modify the data.

              Windows Virtual Desktop supports data encryption in-transit with transport layer security (TLS) v1.2 or greater. While this is optional on private networks, it is critical for traffic on external and public networks. For HTTP traffic, ensure that any clients connecting to your Azure resources can negotiate TLS v1.2 or greater. Any remote management, tasks should be performed over secure shell (SSH) for Linux or with Remote Desktop Protocol (RDP) over TLS (for Windows) instead of an unencrypted protocol.

              Any obsolete SSL, TLS, and SSH versions and protocols, and weak ciphers should be disabled. By default, Azure provides encryption for data in transit between Azure data centers.

                DP-5: Encrypt sensitive data at rest

                Guidance: To complement access controls, Windows Virtual Desktop encrypts data-at-rest to protect against ‘out of band’ attacks, such as accessing underlying storage. This helps ensure that attackers cannot easily read or modify the data.

                  Asset Management

                  AM-1: Ensure security team has visibility into risks for assets

                  Guidance: Ensure security teams are granted Security Reader permissions in your Azure tenant and subscriptions so they can monitor for security risks using Microsoft Defender for Cloud.

                  Depending on how security team responsibilities are structured, monitoring for security risks could be the responsibility of a central security team or a local team. That said, security insights and risks must always be aggregated centrally within an organization.

                  Security Reader permissions can be applied broadly to an entire tenant (Root Management Group) or scoped to management groups or specific subscriptions.

                  Additional permissions might be required for visibility into workloads and services.

                    AM-2: Ensure security team has access to asset inventory and metadata

                    Guidance: Apply tags to your Azure resources, resource groups, and subscriptions to logically organize them into a taxonomy. Each tag consists of a name and a value pair. For example, you can apply the name “Environment” and the value “Production” to all the resources in production.

                    Use Azure Virtual Machine Inventory to automate the collection of information about software on Virtual Machines. Software Name, Version, publisher, and Refresh time are available from the Azure portal. To get access to install date and other information, enable guest-level diagnostics and bring the Windows Event Logs into a Log Analytics Workspace.

                      AM-3: Use only approved Azure services

                      Guidance: Use Azure Policy to audit and restrict which services users can provision in your environment. Use Azure Resource Graph to query for and discover resources within their subscriptions. You can also use Azure Monitor to create rules to trigger alerts when a non-approved service is detected.

                        AM-6: Use only approved applications in compute resources

                        Guidance: Use Azure virtual machine Inventory to automate the collection of information about all software on virtual machines. Software Name, Version, Publisher, and Refresh time are available from the Azure portal. To get access to install date and other information, enable guest-level diagnostics and bring the Windows Event Logs into a Log Analytics Workspace.

                          Logging and Threat Detection

                          LT-1: Enable threat detection for Azure resources

                          Guidance: Use the Microsoft Defender for Cloud built-in threat detection capability and enable Microsoft Defender (Formally Azure Advanced Threat Protection) for your Azure Virtual Desktop resources. Microsoft Defender for Azure Virtual Desktop provides an additional layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit your Azure Virtual Desktop resources.

                          Forward any logs from Azure Virtual Desktop to your security information event management (SIEM) solution which can be used to set up custom threat detections. Ensure you are monitoring different types of Azure assets for potential threats and anomalies. Focus on getting high-quality alerts to reduce false positives for analysts to sort through. Alerts can be sourced from log data, agents, or other data.

                            LT-2: Enable threat detection for Azure identity and access management

                            Guidance: Azure Active Directory (Azure AD) provides the following user logs that can be viewed in Azure AD reporting or integrated with Azure Monitor, Microsoft Sentinel or other security information and event management (SIEM) or monitoring tools for further sophisticated monitoring and analytics use cases:

                            Sign-in – The sign-in report provides information about the usage of managed applications and user sign-in activities.

                            Audit logs – Provides traceability through logs for all changes done by various features within Azure AD. Examples of audit logs include changes made to any resources within Azure AD like adding or removing users, apps, groups, roles and policies.

                            Risky sign-in – A risky sign-in is an indicator for a sign-in attempt that might have been performed by someone who is not the legitimate owner of a user account.

                            Users flagged for risk – A risky user is an indicator for a user account that might have been compromised.

                            Microsoft Defender for Cloud can also alert on certain suspicious activities such as excessive number of failed authentication attempts and deprecated accounts in the subscription. In addition to the basic security hygiene monitoring, the Threat Protection module in Microsoft Defender for Cloud can also collect more in-depth security alerts from individual Azure compute resources (virtual machines, containers, app service), data resources (SQL DB and storage), and Azure service layers. This capability allows you to have visibility on account anomalies inside the individual resources.

                              LT-3: Enable logging for Azure network activities

                              Guidance: Azure Virtual Desktop does not produce or process domain name service (DNS) query logs. However resources that are registered to the service can produce flow logs.

                              Enable and collect network security group resource and flow logs, Azure Firewall logs and Web Application Firewall (WAF) logs for security analysis to support incident investigations, threat hunting, and security alert generation. You can send the flow logs to an Azure Monitor Log Analytics workspace and then use Traffic Analytics to provide insights.

                                LT-4: Enable logging for Azure resources

                                Guidance: Activity logs, which are automatically enabled, contain all write operations (PUT, POST, DELETE) for your Azure Virtual Desktop resources except read operations (GET). Activity logs can be used to find an error when troubleshooting or to monitor how a user in your organization modified a resource.

                                  LT-5: Centralize security log management and analysis

                                  Guidance: Centralize logging storage and analysis to enable correlation. For each log source, ensure you have assigned a data owner, access guidance, storage location, the tools used to process and access the data, and data retention requirements.

                                  Ensure you are integrating Azure activity logs into your central logging. Ingest logs via Azure Monitor to aggregate security data generated by endpoint devices, network resources, and other security systems. In Azure Monitor, use Log Analytics workspaces to query and perform analytics, and use Azure Storage accounts for long term and archival storage.

                                  In addition, enable and onboard data to Microsoft Sentinel or a third-party security information event management (SIEM). Many organizations choose to use Microsoft Sentinel for “hot” data that is used frequently and Azure Storage for “cold” data that is used less frequently.

                                    Posture and Vulnerability Management

                                    PV-3: Establish secure configurations for compute resources

                                    Guidance: Use Microsoft Defender for Cloud and Azure Policy to establish secure configurations on all compute resources including VMs, containers, and others.

                                    You can use custom operating system images or Azure Automation State configuration to establish the security configuration of the operating system required by your organization.

                                      PV-4: Sustain secure configurations for compute resources

                                      Guidance: Use Microsoft Defender for Cloud and Azure Policy to regularly assess and remediate configuration risks on your Azure compute resources including virtual machines, containers, and others. In addition, you may use Azure Resource Manager templates, custom operating system images or Azure Automation State Configuration to maintain the security configuration of the operating system required by your organization. The Microsoft virtual machine templates combined with the Azure Automation State Configuration may assist in meeting and maintaining the security requirements.

                                      Azure Marketplace Virtual Machine Images published by Microsoft are managed and maintained by Microsoft.

                                      Microsoft Defender for Cloud can also scan vulnerabilities in container image and performs continuous monitoring of your Docker configuration in containers against Center Internet Security’s Docker benchmark. You can use the Microsoft Defender for Cloud recommendations page to view recommendations and remediate issues.

                                        PV-5: Securely store custom operating system and container images

                                        Guidance: Azure Virtual Desktop allows customers to manage operating system images. Use Azure role-based access control (Azure RBAC) to ensure that only authorized users can access your custom images. Use an Azure Shared Image Gallery you can share your images to different users, service principals, or Active Directory groups within your organization. Store container images in Azure Container Registry and use RBAC to ensure that only authorized users have access.

                                          PV-6: Perform software vulnerability assessments

                                          Guidance: Azure Virtual Desktop allows you to deploy your own virtual machines and register them to the service as well as have SQL database running in the environment.

                                          Azure Virtual Desktop can use a third-party solution for performing vulnerability assessments on network devices and web applications. When conducting remote scans, do not use a single, perpetual, administrative account. Consider implementing JIT provisioning methodology for the scan account. Credentials for the scan account should be protected, monitored, and used only for vulnerability scanning.

                                          Follow recommendations from Microsoft Defender for Cloud for performing vulnerability assessments on your Azure virtual machines (and SQL servers). Microsoft Defender for Cloud has a built-in vulnerability scanner for virtual machine, container images, and SQL database.

                                          As required, export scan results at consistent intervals and compare the results with previous scans to verify that vulnerabilities have been remediated. When using vulnerability management recommendations suggested by Microsoft Defender for Cloud, you can pivot into the selected solution’s portal to view historical scan data.

                                            PV-7: Rapidly and automatically remediate software vulnerabilities

                                            Guidance: Azure Virtual Desktop doesn’t use or require any third-party software. However, Azure Virtual Desktop allows you to deploy your own virtual machines and register them to the service.

                                            Use Azure Automation Update Management or a third-party solution to ensure that the most recent security updates are installed on your Windows Server virtual machines. For Windows virtual machines, ensure Windows Update has been enabled and set to update automatically.

                                            Use a third-party patch management solution for third-party software or System Center Updates Publisher for Configuration Manager.

                                              PV-8: Conduct regular attack simulation

                                              Guidance: As required, conduct penetration testing or red team activities on your Azure resources and ensure remediation of all critical security findings. Follow the Microsoft Cloud Penetration Testing Rules of Engagement to ensure your penetration tests are not in violation of Microsoft policies. Use Microsoft’s strategy and execution of Red Teaming and live site penetration testing against Microsoft-managed cloud infrastructure, services, and applications.

                                                Endpoint Security

                                                ES-1: Use Endpoint Detection and Response (EDR)

                                                Guidance: Azure Virtual Desktop does not provide any specific capabilities for endpoint detection and response (EDR) processes. However resources registered to the service can benefit from endpoint detection and response capabilities.

                                                Enable endpoint detection and response capabilities for servers and clients and integrate them with security information and event management (SIEM) solutions and Security Operations processes.

                                                Advanced Threat Protection from Microsoft Defender provides Endpoint Detection and Response capabilities, as part of an enterprise endpoint security platform to prevent, detect, investigate, and respond to advanced threats.

                                                  ES-2: Use centrally managed modern anti-malware software

                                                  Guidance: Protect your Azure Virtual Desktop resources with a centrally managed and modern endpoint anti-malware solution capable of real time and periodic scanning.

                                                  Microsoft Defender for Cloud can automatically identify the use of a number of popular anti-malware solutions for your virtual machines and report the endpoint protection running status and make recommendations.

                                                  Microsoft Antimalware for Azure Cloud Services is the default anti-malware for Windows virtual machines (VMs). Also, you can use Threat detection with Microsoft Defender for Cloud for data services to detect malware uploaded to Azure Storage accounts.

                                                    ES-3: Ensure anti-malware software and signatures are updated

                                                    Guidance: Ensure anti-malware signatures are updated rapidly and consistently.

                                                    Follow recommendations in Microsoft Defender for Cloud: “Compute & Apps” to ensure all virtual machines and/or containers are up to date with the latest signatures.

                                                    Microsoft Antimalware will automatically install the latest signatures and engine updates by default.

                                                      Backup and Recovery

                                                      BR-1: Ensure regular automated backups

                                                      Guidance: Ensure you are backing up systems and data to maintain business continuity after an unexpected event. This should be guidance by any objectives for Recovery Point Objective (RPO) and Recovery Time Objective (RTO).

                                                      Enable Azure Backup and configure the backup source (e.g. Azure VMs, SQL Server, HANA databases, or File Shares), as well as the desired frequency and retention period.

                                                      For a higher level of redundancy, you can enable geo-redundant storage option to replicate backup data to a secondary region and recover using cross region restore.

                                                        BR-2: Encrypt backup data

                                                        Guidance: Ensure your backups are protect against attacks. This should include encryption of the backups to protect against loss of confidentiality.

                                                        For regular Azure service backup, backup data is automatically encrypted using Azure platform-managed keys. You can choose to encrypt the backup using customer-managed key. In this case, ensure this customer-managed key in the key vault is also in the backup scope.

                                                        Use role-based access control in Azure Backup, Azure Key Vault, or other resources to protect backups and customer-managed keys. Additionally, you can enable advanced security features to require multifactor authentication before backups can be altered or deleted.

                                                          BR-3: Validate all backups including customer-managed keys

                                                          Guidance: It is recommended to validate data integrity on backup media on a regular basis by performing a data restoration process to ensure that the backup is properly working.