|
| 1 | +--- |
| 2 | +title: Windows Virtual Desktop security best practices - Azure |
| 3 | +description: Best practices for keeping your Windows Virtual Desktop environment secure. |
| 4 | +services: virtual-desktop |
| 5 | +author: heidilohr |
| 6 | + |
| 7 | +ms.service: virtual-desktop |
| 8 | +ms.topic: conceptual |
| 9 | +ms.date: 05/07/2020 |
| 10 | +ms.author: helohr |
| 11 | +manager: lizross |
| 12 | +--- |
| 13 | +# Security best practices |
| 14 | + |
| 15 | +Windows Virtual Desktop is a managed virtual desktop service that includes many security capabilities for keeping your organization safe. In a Windows Virtual Desktop deployment, Microsoft manages portions of the services on the customer’s behalf. The service has many built-in advanced security features, such as Reverse Connect, which reduce the risk involved with having remote desktops accessible from anywhere. |
| 16 | + |
| 17 | +This article describes additional steps you can take as an admin to keep your customers' Windows Virtual Desktop deployments secure. |
| 18 | + |
| 19 | +## Security responsibilities |
| 20 | + |
| 21 | +What makes cloud services different from traditional on-premises virtual desktop infrastructures (VDIs) is how they handle security responsibilities. For example, in a traditional on-premises VDI, the customer would be responsible for all aspects of security. However, in most cloud services, these responsibilities are shared between the customer and the company. |
| 22 | + |
| 23 | +When you use Windows Virtual Desktop, it’s important to understand that while some components come already secured for your environment, you'll need to configure other areas yourself to fit your organization’s security needs. |
| 24 | + |
| 25 | +Here are the security needs you're responsible for in your Windows Virtual Desktop deployment: |
| 26 | + |
| 27 | +| Security need | Is the customer responsible for this? | |
| 28 | +|---------------|:-------------------------:| |
| 29 | +|Identity|Yes| |
| 30 | +|User devices (mobile and PC)|Yes| |
| 31 | +|App security|Yes| |
| 32 | +|Session host OS|Yes| |
| 33 | +|Deployment configuration|Yes| |
| 34 | +|Network controls|Yes| |
| 35 | +|Virtualization control plane|No| |
| 36 | +|Physical hosts|No| |
| 37 | +|Physical network|No| |
| 38 | +|Physical datacenter|No| |
| 39 | + |
| 40 | +The security needs the customer isn't responsible for are handled by Microsoft. |
| 41 | + |
| 42 | +## Azure security best practices |
| 43 | + |
| 44 | +Windows Virtual Desktop is a service under Azure. To maximize the safety of your Windows Virtual Desktop deployment, you should make sure to secure the surrounding Azure infrastructure and management plane as well. To secure your infrastructure, consider how Windows Virtual Desktop fits into your larger Azure ecosystem. To learn more about the Azure ecosystem, see [Azure security best practices and patterns](../security/fundamentals/best-practices-and-patterns.md). |
| 45 | + |
| 46 | +This section describes best practices for securing your Azure ecosystem. |
| 47 | + |
| 48 | +### Enable Azure Security Center |
| 49 | + |
| 50 | +We recommend you enable Azure Security Center Standard for subscriptions, virtual machines, key vaults, and storage accounts. |
| 51 | + |
| 52 | +With Azure Security Center Standard, you can: |
| 53 | + |
| 54 | +* Manage vulnerabilities. |
| 55 | +* Assess compliance with common frameworks like PCI. |
| 56 | +* Strengthen the overall security of your environment. |
| 57 | + |
| 58 | +To learn more, see [Onboard your Azure subscription to Security Center Standard](../security-center/security-center-get-started.md). |
| 59 | + |
| 60 | +### Improve your Secure Score |
| 61 | + |
| 62 | +Secure Score provides recommendations and best practice advice for improving your overall security. These recommendations are prioritized to help you pick which ones are most important, and the Quick Fix options help you address potential vulnerabilities quickly. These recommendations also update over time, keeping you up to date on the best ways to maintain your environment’s security. To learn more, see [Improve your Secure Score in Azure Security Center](../security-center/security-center-secure-score.md). |
| 63 | + |
| 64 | +## Windows Virtual Desktop security best practices |
| 65 | + |
| 66 | +Windows Virtual Desktop has many built-in security controls. In this section, you'll learn about security controls you can use to keep your users and data safe. |
| 67 | + |
| 68 | +### Require multi-factor authentication |
| 69 | + |
| 70 | +Requiring multi-factor authentication for all users and admins in Windows Virtual Desktop improves the security of your entire deployment. To learn more, see [Enable Azure Multi-Factor Authentication for Windows Virtual Desktop](set-up-mfa.md). |
| 71 | + |
| 72 | +### Enable Conditional Access |
| 73 | + |
| 74 | +Enabling [Conditional Access](../active-directory/conditional-access/best-practices.md) lets you manage risks before you grant users access to your Windows Virtual Desktop environment. When deciding which users to grant access to, we recommend you also consider who the user is, how they sign in, and which device they're using. |
| 75 | + |
| 76 | +### Collect audit logs |
| 77 | + |
| 78 | +Enabling audit log collection lets you view user and admin activity related to Windows Virtual Desktop. Some examples of key audit logs are: |
| 79 | + |
| 80 | +- [Azure Activity Log](../azure-monitor/platform/activity-log-collect.md) |
| 81 | +- [Azure Active Directory Activity Log](../active-directory/reports-monitoring/concept-activity-logs-azure-monitor.md) |
| 82 | +- [Azure Active Directory](../active-directory/fundamentals/active-directory-whatis.md) |
| 83 | +- [Session hosts](../azure-monitor/platform/agent-windows.md) |
| 84 | +- [Windows Virtual Desktop Diagnostic Log](../virtual-desktop/diagnostics-log-analytics.md) |
| 85 | +- [Key Vault logs](../key-vault/general/logging.md) |
| 86 | + |
| 87 | +### Use RemoteApps |
| 88 | + |
| 89 | +When choosing a deployment model, you can either provide remote users access to entire virtual desktops or only select applications. Remote applications, or RemoteApps, provide a seamless experience as the user works with apps on their virtual desktop. RemoteApps reduce risk by only letting the user work with with a subset of the remote machine exposed by the application. |
| 90 | + |
| 91 | +### Monitor usage with Azure Monitor |
| 92 | + |
| 93 | +Monitor your Windows Virtual Desktop service's usage and availability with [Azure Monitor](https://azure.microsoft.com/services/monitor/). Consider creating [service health alerts](../service-health/alerts-activity-log-service-notifications.md) for the Windows Virtual Desktop service to receive notifications whenever there's a service impacting event. |
| 94 | + |
| 95 | +## Session host security best practices |
| 96 | + |
| 97 | +Session hosts are virtual machines that run inside an Azure subscription and virtual network. Your Windows Virtual Desktop deployment's overall security depends on the security controls you put on your session hosts. This section describes best practices for keeping your session hosts secure. |
| 98 | + |
| 99 | +### Enable endpoint protection |
| 100 | + |
| 101 | +To protect your deployment from known malicious software, we recommend enabling endpoint protection on all session hosts. You can use either Windows Defender Antivirus or a third-party program. To learn more, see [Deployment guide for Windows Defender Antivirus in a VDI environment](/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus). |
| 102 | + |
| 103 | +For profile solutions like FSLogix or other solutions that mount VHD files, we recommend excluding VHD file extensions. |
| 104 | + |
| 105 | +### Install an endpoint detection and response product |
| 106 | + |
| 107 | +We recommend you install an endpoint detection and response (EDR) product to provide advanced detection and response capabilities. For server operating systems with [Azure Security Center](../security-center/security-center-services.md) enabled, installing an EDR product will deploy Defender ATP. For client operating systems, you can deploy [Defender ATP](/windows/security/threat-protection/microsoft-defender-atp/onboarding) or a third-party product to those endpoints. |
| 108 | + |
| 109 | +### Enable threat and vulnerability management assessments |
| 110 | + |
| 111 | +Identifying software vulnerabilities that exist in operating systems and applications is critical to keeping your environment secure. Azure Security Center can help you identify problem spots through vulnerability assessments for server operating systems. You can also use Defender ATP, which provides threat and vulnerability management for desktop operating systems. You can also use third-party products if you're so inclined, although we recommend using Azure Security Center and Defender ATP. |
| 112 | + |
| 113 | +### Patch software vulnerabilities in your environment |
| 114 | + |
| 115 | +Once you identify a vulnerability, you must patch it. This applies to virtual environments as well, which includes the running operating systems, the applications that are deployed inside of them, and the images you create new machines from. Follow your vendor patch notification communications and apply patches in a timely manner. We recommend patching your base images monthly to ensure that newly deployed machines are as secure as possible. |
| 116 | + |
| 117 | +### Establish maximum inactive time and disconnection policies |
| 118 | + |
| 119 | +Signing users out when they're inactive preserves resources and prevents access by unauthorized users. We recommend that timeouts balance user productivity as well as resource usage. For users that interact with stateless applications, consider more aggressive policies that turn off machines and preserve resources. Disconnecting long running applications that continue to run if a user is idle, such as a simulation or CAD rendering, can interrupt the user's work and may even require restarting the computer. |
| 120 | + |
| 121 | +### Set up screen locks for idle sessions |
| 122 | + |
| 123 | +You can prevent unwanted system access by configuring Windows Virtual Desktop to lock a machine's screen during idle time and requiring authentication to unlock it. |
| 124 | + |
| 125 | +### Establish tiered admin access |
| 126 | + |
| 127 | +We recommend you don't grant your users admin access to virtual desktops. If you need software packages, we recommend you make them available through configuration management utilities like Microsoft Endpoint Manager. In a multi-session environment, we recommend you don't let users install software directly. |
| 128 | + |
| 129 | +### Consider which users should access which resources |
| 130 | + |
| 131 | +Consider session hosts as an extension of your existing desktop deployment. We recommend you control access to network resources the same way you would for other desktops in your environment, such as using network segmentation and filtering. By default, session hosts can connect to any resource on the internet. There are several ways you can limit traffic, including using Azure Firewall, Network Virtual Appliances, or proxies. If you need to limit traffic, make sure you add the proper rules so that Windows Virtual Desktop can work properly. |
| 132 | + |
| 133 | +### Manage Office Pro Plus security |
| 134 | + |
| 135 | +In addition to securing your session hosts, it's important to also secure the applications running inside of them. Office Pro Plus is one of the most common applications deployed in session hosts. To improve the Office deployment security, we recommend you use the [Security Policy Advisor](/DeployOffice/overview-of-security-policy-advisor) for Microsoft 365 Apps for Enterprise. This tool identifies policies that can you can apply to your deployment for more security. Security Policy Advisor also recommends policies based on their impact to your security and productivity. |
| 136 | + |
| 137 | +### Other security tips for session hosts |
| 138 | + |
| 139 | +By restricting operating system capabilities, you can strengthen the security of your session hosts. Here are a few things you can do: |
| 140 | + |
| 141 | +- Control device redirection by redirecting drives, printers, and USB devices to a user's local device in a remote desktop session. We recommend that you evaluate your security requirements and check if these features ought to be disabled or not. |
| 142 | + |
| 143 | +- Restrict Windows Explorer access by hiding local and remote drive mappings. This prevents users from discovering unwanted information about system configuration and users. |
| 144 | + |
| 145 | +- Avoid direct RDP access to session hosts in your environment. If you need direct RDP access for administration or troubleshooting, enable [just-in-time](../security-center/security-center-just-in-time.md) access to limit the potential attack surface on a session host. |
| 146 | + |
| 147 | +- Grant users limited permissions when they access local and remote file systems. You can restrict permissions by making sure your local and remote file systems use access control lists with least privilege. This way, users can only access what they need and can't change or delete critical resources. |
| 148 | + |
| 149 | +- Prevent unwanted software from running on session hosts. You can enable App Locker for additional security on session hosts, ensuring that only the apps you allow can run on the host. |
| 150 | + |
| 151 | +## Next steps |
| 152 | + |
| 153 | +To learn how to enable multi-factor authentication, see [Set up multi-factor authentication](set-up-mfa.md). |
0 commit comments