Day 35: AZ-140 Pt.3 - Managing WVD - Security
Section 3: Manage Access and Security (10-15%)
The below should cover the following criteria for this section of the exam:
- Plan and implement Conditional Access policies for connections to Windows Virtual Desktop
- Plan and implement multifactor authentication in Windows Virtual Desktop
- Manage security by using Azure Security Center
- Configure Microsoft Defender Antivirus for session hosts
In the below steps, it should be noted I am not going to say click this n that, I will give a general overview but you will need to fill in the gaps with your knowledge of Azure.
Creating conditional access policies using Intune
I was going to add in some fancy conditional checks, however it seems as of now (26/02/21) that multi session VMs are not supported by Intune, meaning I cant use it as I'd like.
However, the policies available through Intune are for my purposes lacking.
If we did want to use Intune, we'd need to make sure the following is in place, of which some already is.
- Running Windows 10 Enterprise, version 1809 or later. ✔
- Hybrid Azure AD-joined. ✔
- Set up as personal remote desktops in Azure. ✔
- Enrolled in Intune in one of the following methods:
- Configure Active Directory group policy to automatically enroll devices that are hybrid Azure AD joined.
- Configuration Manager co-management.
- User self-enrollment via Azure AD Join. ✔
Secondly, if I did want to use Intune for normal WVD (non-ms), the below functionality isn't available - not sure how useful it would be anyway but worth pointing out. I.e. Why would I need to perform a remote wipe?
- Autopilot reset
- BitLocker key rotation
- Fresh Start
- Remote lock
- Reset password
Creating conditional access policies using MFA
We need to-go to Azure AD > Security > Conditional Access > Add
I have created a policy which requires a few things:
- Apply to group - WVD Multi-Session Users
- Cloud App - Windows Virtual Desktop
- Conditions - The host must be Windows OS Only
- Grant Access if using MFA, User will be prompted to configure MFA if not yet setup
- Session - Allow machine to be remembered for 7 days, then user will be prompted again
Now if I try to connect onto my client, I get the below prompts:
Azure Security Center - Overview & Recommendations
With Azure Security Center, you can:
- Manage vulnerabilities.
- Assess compliance with common frameworks like PCI.
- Strengthen the overall security of your environment.
If I go to Security Center "overview" and "recommendations", we can see that due to the fact this is a fresh environment, there's a lot its telling us its not happy about and for me to get stuck into and resolve.
The main things:
- Encryption is missing, this can be resolved by encrypting our disks to resolve this.
- We can install log analytics on our machines to report data into azure and give us a more accurate view.
- A few accounts do not have MFA enabled.
The great thing about this is, its free and its telling us what we need to improve on and how to achieve a better score for my environment. It should go without saying, but all these issues should be resolved before going into production.
Azure Security Center - Regulatory Compliance
Another thing the security center does is give us a overview of regulatory compliance we might need to address, again it's referring to us to enable encryption - which I haven't enabled due to disk type and costings of being on a free azure plan. However, you can see very quickly any issues you might have, I can see this being great with information security being setup with read access to this section of azure, or a report being produced to alert of any issues.
If we then want to start fixing some of these issues, we just need to start going through them one by one, for example here I am installing data collection agents on a subscription level (you would only target specific machines in production, not the whole subscription).
I am also enabling Azure Defender. You can see its a simple process of selecting the subscription and/or machines you want to target. The next screens also show us the costs for each resource being protected, note all resources are covered. Ensure you review what you're installing the agent on, some systems might not need this protection, so selecting a subscription itself would not be required in most cases.
- Microsoft Antimalware for Azure Virtual Machines is a real-time protection capability that helps identify and remove viruses, spyware, and other malicious software, with configurable alerts when known malicious or unwanted software attempts to install itself or run on your system.
We can enable this functionality on the VM itself, things to note here:
- Exclude any folders being used by FSLogix.
- Decide if using real time protection (performance hit possibly) or a scheduled scan (less performance hit possibly).
Its worth reading through the below links in detail, there's a lot of information to absorb, but the gist of all this is - get to know what security center offers, install some form of endpoint protection, use azure defender, tie up your environment by looking at the security center recommendations such as encryption and MFA.
A really cool feature I noticed in above links is:
Enable screen capture protection (preview) can be enabled by using the following:
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableScreenCaptureProtection /t REG_DWORD /d 1
The screen capture protection feature prevents sensitive information from being captured on the client endpoints. When you enable this feature, remote content will be automatically blocked or hidden in screenshots and screen shares. It will also be hidden from malicious software that may be continuously capturing your screen's content. We recommend you disable clipboard redirection to prevent copying of remote content to endpoints while using this feature.
Thanks for reading. Next up is Managing Access.