In this chapter, we'll take a look at security and compliance settings for Azure Virtual Desktop (AVD). First, we'll look at planning and implementing multi-factor authentication (MFA) and Conditional Access policies for AVD. Next, we'll look at Microsoft Defender for Cloud and the benefits of turning this feature on and enabling Azure Defender. To finish the chapter, we'll look at Microsoft Defender Antivirus and additional configurations you can apply to streamline the security signature updates to session hosts.
This chapter covers the following topics:
MFA is an authentication layer you can add to the sign-in process as a way of improving sign-in security. When accessing corporate accounts, apps, or other services, the user is required to provide additional identity verification. This additional verification can be scanning a fingerprint or entering a code received by a phone or token-generating device.
Important Note
The security threat landscape is consistently changing, with new threats appearing daily. It is advised as a best practice that organizations use MFA as a standard practice to harden the sign-in process to protect users and corporate data.
Azure Active Directory (AD) MFA works by the user requiring two or more authentication methods to complete a sign-in process. The first method is typically a password. Trusted devices such as a phone or hardware key or biometrics such as a fingerprint or face scan can be used as a second method.
Important Note
Azure AD MFA also offers a feature known as secure password reset. This can be enabled when users register for Azure AD MFA, which appears as an additional step.
You can use the following forms of authentication when using Azure MFA:
The verification when using Azure MFA looks similar to the following screenshot:
You have the option of configuring the security defaults to enable Authenticator for all users or choosing conditional access policies that can be used to control specific events and applications. You can configure conditional policies to allow regular sign-in or to include a prompt for additional verification when a user is remote or on a personal device.
Let's now take a look at the security defaults available to you on Azure.
Security defaults are a feature that helps simplify security hardening when applying MFA to your organization's Azure tenant. When applying preconfigured security settings, you essentially set the following:
You can read more on security defaults here: https://docs.microsoft.com/azure/active-directory/fundamentals/concept-fundamentals-security-defaults.
As the technology ecosystem continues to evolve and change day by day, the way people work and access corporate resources changes. This can also be described as the modern security perimeter, which essentially refers to users and device identities that access corporate data and network resources from outside the corporate network.
When looking at conditional access, we need to first understand the three core principles: signals, decisions, and enforcements.
Important Note
To use conditional access policies, you need the Azure AD Premium P1 license. You can read more here: https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing?rtc=1.
Let's now take a look at these three components that are required for conditional access organizational policies:
The following are taken into consideration when making policy decisions using conditional access:
The following table details the two decisions and the options available when you select Grant Access:
The following is a list of examples of some of the applied policies you can set:
You can read more on the three components of Conditional Access here: https://docs.microsoft.com/azure/active-directory/conditional-access/overview.
The following diagram shows the use of the three components in actions to enforce conditional access on the required apps and data for your organizations:
We'll now move on to take a look at the planning and implementation of MFA.
This section goes into detail on how to implement MFA for AVD. We will navigate through the process step by step. The benefit of MFA is that it provides an extra layer of security for users, and only the user with access to the token can log in, reducing the risk of unauthorized access to the network and IT resources.
The prerequisites for getting started are as follows:
For more information on the prerequisites, please see the following link: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-getstarted#prerequisites-for-deploying-azure-ad-mfa.
You also need to ensure that your users are configured to use MFA. This is done by following the steps I have summarized here:
To configure multi-factor user states, see the following link: https://docs.microsoft.com/azure/active-directory/authentication/howto-mfa-userstates.
Tip
It is recommended that you do not manually change the user state to Enforced unless the user is already registered or understands there will be an interruption in connections to legacy authentication protocols.
In the following subsection, we take a look at configuring the required conditional access policy for AVD to enforce MFA.
In the previous section, we discussed conditional access policies and the three components: signals, decisions, and enforcements. We'll now take a look at creating a conditional access policy.
The following steps guide you through creating a conditional Access policy that requires MFA when connecting to AVD:
Tip
Please note you may find that the name has not changed from Windows Virtual Desktop, and it is advised you check for both.
If using AVD, choose this app: Azure Virtual Desktop (app ID 9cdead84-a844-4324-93f2-b2e6bb768d07).
The following screenshot shows the details filled in for creating a new conditional access policy, which we will apply to AVD as specified in the Cloud apps | Include section:
Tip
To find the app ID of the app you want to select, navigate to Enterprise Applications and select Microsoft Applications from the Application type drop-down menu. You can read more here: https://docs.microsoft.com/azure/active-directory/manage-apps/view-applications-portal?tabs=azure-portal#search-for-an-application.
The following screenshot shows the conditions set for this conditional access policy; you will note that both Browser and Mobile apps and desktop clients have been set for this policy:
The following screenshot shows the configuration of access controls, specifically the Grant access control. By setting Require multi-factor authentication, you force the user to complete two-factor verification to access the resources configured within the conditional access policy:
The following screenshot shows the customization of the sign-in frequency setting. You can set a specific time before a user needs to reauthenticate:
There you have it; you have enabled MFA and configured the required conditional access policy for AVD.
Tip
It is advised that you use Report-only before introducing this to a production environment. Report-only allows you to identify any issues and ensure the configured conditional access policy is functioning correctly.
This section looked at enabling MFA for users and then configuring an AVD conditional access policy. The next section looks at managing security by using Microsoft Defender for Cloud.
Microsoft Defender for Cloud was previously known as Azure Security Center and Azure Defender. I want to set some context around the reasoning and detail of the responsibilities split between Microsoft and the customer.
We previously spoke about some advanced security features, such as reverse connect, which reduces the risk of exposing virtual desktop resources directly to the public network. We'll now look at the security responsibilities and some of the Azure security best practices available to you.
Here are the security areas you're responsible for in your AVD deployment. Note that the value under the Customer responsibility column is Yes if the customer is responsible and No if Microsoft is responsible:
This table was taken from the following Microsoft link:
https://docs.microsoft.com/en-us/azure/virtual-desktop/security-guide#security-responsibilities
As detailed in the table, Microsoft takes care of the physical aspects of the cloud infrastructure and the virtualization control plane. The customer is responsible for everything else. This is why it makes sense to use Microsoft Defender for Cloud to assist with security hardening all the required components for your AVD environment.
Important Note
Microsoft Defender for Cloud is an essentially security posture manager that has two offerings, the first being a free version and the second option known as enhanced security, which offers a number of security features and tools to help you harden your environment.
Microsoft Defender for Cloud represents a number of security services that are specific to different workloads, such as databases, storage accounts, containers, and key vaults.
Microsoft Defender for Cloud helps you harden your resources, as well as mapping your current security posture and tracking future changes to help protect against cyber attacks and streamline your IT security. As Microsoft Defender for Cloud is natively integrated, it provides a simple and easy way to deploy Defender to secure your resources by default.
Take a look at the three core needs when managing security with Microsoft Defender for Cloud:
For a detailed breakdown of Microsoft Defender for Cloud, take a look at the following link: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction.
The following table describes the three core security requirements used within Defender for Cloud:
The table is taken from the Microsoft documentation site: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction.
Important Note
Please note that when using custom/third-party technologies such as network virtual appliances (NVAs), you may get false positive alerts from Microsoft Defender for Cloud regarding best practices. These alerts or recommendations become a false positive because you are effectively bypassing the default Azure configurations with a third-party security feature/technology. One good example is the use of port forwarding that is typically enabled for an NVA. This would flag an alert in Microsoft Defender for Cloud. However, port forwarding must pass traffic through the NVA and thus must be enabled on the NVA.
Microsoft Defender for Cloud provides a security score, which is essentially a set of recommendations and best practices for improving your AVD environment:
The good news is that recommendations are prioritized to help you select the most important. There is also the Fix option to help you quickly identify and address any vulnerabilities. This is important to note. The Fix button helps with some issues but does not provide full coverage. It's advised that you conduct internal security reviews to ensure that you meet the requirements for your organization's security posture:
Important Note
The recommendations will update when changes in the IT ecosystem occur, meaning that new recommendations will be provided when the security landscape changes, such as new vulnerabilities arising or new/better ways to maintain your AVD environment's security develop.
The next section takes a look at securing your AVD security environment and enabling enhanced security within Microsoft Defender for Cloud.
As summarized in the introduction to this section, the customer is responsible for the following areas under the shared responsibility model:
Security posture is a term used to reference the overall cybersecurity strength of an organization. It can also be used to predict, prevent, and respond to ever-changing threats. Therefore, it is advised that you examine both the required level of threat protection and the security posture for your AVD environment.
The misconfiguration of the network and/or virtual machines can increase the attack surface or possibly compromise an endpoint.
Important Note
You need to ensure that all management ports are closed on your AVD virtual machines. No direct access to session hosts from the public network is required. If you want direct access to virtual machines, it is advised to use Azure Bastion or connect over a VPN.
We cover endpoint protection in the next section; however, it is necessary to call out the following security controls to protect users from browsing to malicious sites or connecting to malicious devices.
Here is a list of benefits Microsoft Defender for Cloud offers for improving security posture and threat protection for AVD when enabling Azure Defender:
The following table shows different security areas and what Microsoft Defender for Cloud offers in terms of capabilities:
This section provided a high-level overview of Microsoft's and the customer's security responsibilities. In addition, it provided an introduction to Microsoft Defender for Cloud to set the scene for the following sections of this chapter. We'll now move on to take a look at using Microsoft Defender for Cloud and Azure Defender for AVD.
Out of the box, you can use Microsoft Defender for Cloud to provide continuous assessments and security recommendations, fixes, and Azure security scores, which can be used to gauge your security posture.
Enabling Azure Defender opens up additional features, including just-in-time virtual machine access, adaptive application controls/network hardening, compliance dashboards/reports, threat protection for Azure virtual machines, and non-Azure servers.
Important Note
It is important to note that Microsoft Defender for Cloud is a security posture manager (SPM).
The following screenshot shows the differences between Microsoft Defender for Cloud being switched on and off:
To access Microsoft Defender for Cloud, you will see an icon in the main window of the Azure portal with the Security Center icon. When you click this, you will be taken to the Overview window of Microsoft Defender for Cloud, as shown in the following screenshot:
Within Microsoft Defender for Cloud, you can review and configure various security controls/policies and review best practices. A lot of the content within Microsoft Defender for Cloud is out of scope for this book; however, we will take a brief look at what you can use for AVD to improve your desktop virtualization security posture.
You can take a look at your resources via the inventory, as highlighted in the following screenshot. This lets you see which resources are configured with monitoring agents, turn Azure Defender on/off, and see recommendations.
The following screenshot shows the Inventory page of Microsoft Defender for Cloud. This page is used for reviewing all resources, including total, unhealthy, unmonitored, and unregistered subscriptions:
One final part I wanted to cover before we move on to enabling Microsoft Defender for Cloud is the Recommendations page. This provides a centralized list of recommendations to improve your Azure security score, as well as gauging your current state and future security score.
Tip
Did you know that the regulatory compliance feature within Microsoft Defender for Cloud is part of the free module?
The following screenshot shows the list of recommendations for Azure Security Center based on the current score and configuration of the Azure subscription:
In this section, we looked at Microsoft Defender for Cloud and how it can help improve your AVD's security posture. The next section takes a look at enabling Azure Defender for AVD.
This section summarizes the basic steps for enabling enhanced security for Microsoft Defender for Cloud on your Azure subscription. This will allow you to use the more advanced features of Security Center at a cost.
The link to pricing can be found here: https://azure.microsoft.com/pricing/details/azure-defender/.
Important Note
You will need to enable enhanced security for Microsoft Defender for Cloud for each subscription you use.
The basic steps for enabling Azure Defender on your Azure subscription are as follows:
Important Note
It is important to note that if you select the option for Enable all Microsoft Defender for Cloud plans, this will onboard all resources within the subscription. If you want to onboard only a subset, you will need to manually onboard the specific required resources.
The following screenshot shows the option to turn Microsoft Defender for Cloud on and off:
Once you have chosen the resource types (plans) you require, click Save.
As shown in the preceding screenshot, you can see that you can now review Azure Defender's coverage. This concludes the enablement of enhanced security within Microsoft Defender for Cloud for AVD.
For more information on Microsoft Defender for Cloud, check out this link for the planning and operations guide: https://docs.microsoft.com/azure/defender-for-cloud/security-center-planning-and-operations-guide.
In the next section, we'll look at configuring Microsoft Defender Antivirus for session hosts and useful configurations for ensuring antimalware signatures are constantly updated.
This section takes a look at Microsoft Defender Antivirus for session hosts. Before we look at scans and prevent notifications, I want to first take a look at offloading security intelligence updates onto a host machine.
The benefit of doing this is to reduce the impact on the CPU, disk, and memory resources of the session hosts when security intelligence updates are processed. You can manage Microsoft Defender Antivirus using Group Policy; however, you can also use System Center Configuration Manager, Intune, and other third-party mobile device management (MDM) platforms.
See the following link from Microsoft on deploying Microsoft Defender Antivirus: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/deployment-vdi-microsoft-defender-antivirus.
Microsoft Defender for Endpoint is an additional license you can purchase that essentially offers an extra layer of security to your endpoints. It is an enterprise endpoint security platform that offers additional features to antivirus offerings, including advanced threat detection.
The following table details why you should consider both Microsoft Defender Antivirus and Microsoft Defender for Endpoint together:
The preceding table was taken from the following Microsoft link: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/why-use-microsoft-defender-antivirus.
Important Note
The Microsoft Defender Antivirus feature was introduced in Windows 10 version 1903; however, it has been backported to Windows 10 version 1703 and above.
Let's now take a look at configuring some of the Microsoft Defender Antivirus features.
In this example, you will use Group Policy to enable the Microsoft shared security intelligence feature:
Important Note
The shared security intelligence feature is used to offload the processing required by an endpoint in terms of unpackaging and installing security intelligence updates. Using a network or local path reduces the resource utilization of a client when security intelligence updates are applied.
Double-click Define security intelligence location for VDI clients, and then set the option to Enabled within the form. A field should then automatically appear:
Tip
You can also use PowerShell to enable the feature using the following cmdlet: Set-MpPreference -SharedSignaturesPath \<fileshare>av-update. You can deliver these on each machine or use the Custom Script Extension.
To download and unpack the latest security updates, it's advised that you configure a PowerShell script as a scheduled task to automatically update the file share with new security update definitions when they are released:
$vdmspathbase = "$env:systemdriveav-update{00000000-0000-0000-0000-"
$vdmspathtime = Get-Date -format "yMMddHHmmss"
$vdmspath = $vdmspathbase + $vdmspathtime + '}'
$vdmspackage = $vdmspath + 'mpam-fe.exe'
New-Item -ItemType Directory -Force -Path $vdmspath | Out-Null
Invoke-WebRequest -Uri 'https://go.microsoft.com/fwlink/?LinkID=121721&arch=x64' -OutFile $vdmspackage
cmd /c "cd $vdmpath & c: & mpam-fe.exe /x"
The following steps guide you in setting a scheduled task to run the PowerShell script:
You can start the update manually by right-clicking on the task and clicking Run.
If you would prefer to configure manually, this is what to do to replicate the script's behavior:
Here's an example: c:av_update{00000000-0000-0000-0000-000000000000}.
Important Note
In the Getting the latest updates section, you will note that the script includes the date, month, and year within the GUID so that a new folder is created for each update. This can be changed so that files are downloaded to the same folder each time.
Tip
The session host virtual machines will pick up the updated package when a new GUID folder is created with an update package or whenever the existing folder is updated with new packages.
The next section looks at configuring quick scans for AVD session hosts.
This section takes a quick look at configuring the group policy for specifying the scan type. In the example, we will be configuring a quick scan:
This section showed you how to configure a quick scan for AVD session hosts. We will now take a look at how to suppress notifications for Microsoft Defender Antivirus.
This section looks at how you can suppress Microsoft Defender Antivirus notifications. Follow these steps detailed to configure it:
This section looked at suppressing all notifications for Microsoft Defender Antivirus. Next, we'll look at enabling headless UI mode, which essentially hides the UI from the user.
Headless UI mode is a great feature for AVD as it hides the UI from the end user. This means that the IT admin is in full control and schedules scans when required.
The following steps detail how to configure headless UI mode:
In this section, we looked at enabling headless UI mode to hide Microsoft Defender Antivirus from the users' view.
This chapter provided an insight into Microsoft Defender for Cloud with a focus on AVD. We started the chapter off by looking at enabling MFA and then configuring a conditional access policy to enforce MFA on AVD. We then moved on to looking at the security responsibilities of both Microsoft and the customers. We then dived into Microsoft Defender for Cloud, the value it offers Azure customers, and how you can use it to improve your AVD security posture as well as the security of the Azure resources running more widely within your subscription(s). To finish off the chapter, we looked at Microsoft Defender Antivirus at a high level, focusing on some of the features you may want to configure for AVD.
In the next chapter, we will change topics to look at implementing and managing FSLogix profile containers in AVD.