Azure security baseline for Azure Virtual Desktop

This security baseline applies guidance from the Azure Security Benchmark version 2.0 to Azure Virtual Desktop. The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. The content is grouped by the security controls defined by the Azure Security Benchmark and the related guidance applicable to Azure Virtual Desktop. Controls not applicable to Azure Virtual Desktop have been excluded.

Azure Virtual Desktop service includes the service itself, the Windows 10 Enterprise for multi-session virtual sku as well as FSLogix. For FSLogix-related security recommendations, see the security baseline for storage. The service has an agent running on virtual machines but since the virtual machines are under full control of the customer, follow security recommendations for compute

To see how Azure Virtual Desktop completely maps to the Azure Security Benchmark, see the full Azure Virtual Desktop security baseline mapping file.

Network Security

For more information, see the Azure Security Benchmark: Network Security.

NS-1: Implement security for internal traffic

Guidance: You must create or use an existing virtual network when you deploy virtual machines to be registered to Azure Virtual Desktop. Ensure that all Azure virtual networks follow an enterprise segmentation principle that aligns to the business risks. Any system that could incur higher risk for the organization should be isolated within its own virtual network and sufficiently secured with either a network security group or Azure Firewall.

Use Adaptive Network Hardening features in Azure Security Center to recommend network security group configurations which limit ports and source IPs with reference to external network traffic rules.

Based on your applications and enterprise segmentation strategy, restrict or allow traffic between internal resources based on network security group rules. For specific well-defined applications (such as a 3-tier app), this can be a highly secure "deny by default, permit by exception" approach. This might not scale well if you have many applications and endpoints interacting with each other. You can also use Azure Firewall in circumstances where central management is required over a large number of enterprise segments or spokes (in a hub/spoke topology)

For the network security groups associated with your virtual machine (that are part of Azure Virtual Desktop) subnets, you must allow outgoing traffic to specific endpoints.

• Find out what URLs are required to be allowed access for Azure Virtual Desktop

• How to create a network security group with security rules

• How to deploy and configure Azure Firewall

Azure Security Center monitoring: Currently not available

Responsibility: Customer

NS-2: Connect private networks together

Guidance: Use Azure ExpressRoute or Azure virtual private network to create private connections between Azure datacenters and on-premises infrastructure in a colocation environment. ExpressRoute connections do not go over the public internet, offer more reliability, faster speeds and lower latencies than typical internet connections.

For point-to-site and site-to-site virtual private networks, you can connect on-premises devices or networks to a virtual network using any combination of virtual private network options and Azure ExpressRoute.

Use virtual network peering to connect two or more virtual networks together in Azure. Network traffic between peered virtual networks is private and stays on the Azure backbone network.

• What are the ExpressRoute connectivity models

• Azure VPN overview

• Virtual network peering

Azure Security Center monitoring: Currently not available

Responsibility: Customer

NS-4: Protect applications and services from external network attacks

Guidance: Use Azure Firewall to protect applications and services against potentially malicious traffic from the internet and other external locations. Protect your Azure Virtual Desktop resources against attacks from external networks, including distributed denial of service attacks, application specific attacks, unsolicited and potentially malicious internet traffic. Protect your assets against distributed denial of service attacks by enabling DDoS standard protection on your Azure Virtual Networks. Use Azure Security Center to detect misconfiguration risks related to your network related resources.

Azure Virtual Desktop is not intended to run web applications, and does not require you to configure any additional settings or deploy any extra network services to protect it from external network attacks targeting web applications.

• Azure Firewall Documentation

• Azure Security Center recommendations

Azure Security Center monitoring: Currently not available

Responsibility: Customer

NS-5: Deploy intrusion detection/intrusion prevention systems (IDS/IPS)

Guidance: Use Azure Firewall with threat intelligence based filtering to alert on and optionally block traffic to and from known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. When payload inspection is required, you can deploy a third-party intrusion detection or prevention solution from the Azure Marketplace.

If you have a regulatory or other requirement for intrusion detection or prevention solution usage, ensure that it is always tuned to provide high-quality alerts to your security information and event management (SIEM) solution.

• How to deploy Azure Firewall

• Azure Marketplace includes 3rd party IDS capabilities

• Microsoft Defender ATP EDR capability

Azure Security Center monitoring: Currently not available

Responsibility: Customer

NS-6: Simplify network security rules

Guidance: Use Azure Virtual Network service tags to define network access controls on network security groups or an Azure Firewall configured for your Azure Virtual Desktop resources. You can use service tags in place of specific IP addresses when creating security rules. By specifying the service tag name (For example: WindowsVirtualDesktop) in the appropriate source or destination field of a rule, you can allow or deny the traffic for the corresponding service. Azure manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change.

• Understand and using Service Tags

• Learn more about what is covered by the Azure Virtual Desktop Service Tag here

Azure Security Center monitoring: Currently not available

Responsibility: Customer

Identity Management

For more information, see the Azure Security Benchmark: Identity Management.

IM-1: Standardize Azure Active Directory as the central identity and authentication system

Guidance: Azure Virtual Desktop uses Azure Active Directory (Azure AD) as the default identity and access management service. You should standardize Azure AD to govern your organization's identity and access management in:

• Azure Cloud resources, such as the Azure portal, Azure Storage, Azure Virtual Machine (Linux and Windows), Azure Key Vault, PaaS, and SaaS applications.

• Your organization's resources, such as applications on Azure or your corporate network resources.

Securing Azure AD should be a high priority in your organization's cloud security practice. Azure AD provides an identity secure score to help you assess identity security posture relative to Azure's best practice recommendations. Use the score to gauge how closely your configuration matches best practice recommendations, and to make improvements in your security posture.

Azure AD supports external identities which allow users without a Azure account to sign-in to their applications and resources with their external identity.

• Tenancy in Azure AD

• Specific roles that you need to operate Azure Virtual Desktop

Azure Security Center monitoring: Currently not available

Responsibility: Customer

IM-2: Manage application identities securely and automatically

Guidance: Azure Virtual Desktop supports Azure managed identities for non-human accounts such as services or automation. It is recommended to use Azure managed identity feature instead of creating a more powerful human account to access or execute your resources.

Azure Virtual Desktop recommends using Azure Active Directory (Azure AD) to create a service principal with restricted permissions at the resource level to configure service principals with certificate credentials and fall back to client secrets. In both cases, Azure Key Vault can be used to in conjunction with Azure managed identities, so that the runtime environment (such as, an Azure Function) can retrieve the credential from the key vault.

• Services that support managed identities for Azure resources

• Azure service principal

• Create a service principal with certificates

• Use Azure Key Vault for security principal registration

Azure Security Center monitoring: Currently not available

Responsibility: Customer

IM-3: Use Azure AD single sign-on (SSO) for application access

Guidance: Azure Virtual Desktop uses Azure Active Directory (Azure AD) to provide identity and access management to Azure resources, cloud applications, and on-premises applications. This includes enterprise identities such as employees, as well as external identities such as partners, vendors, and suppliers. This enables single sign-on (SSO) to manage and secure access to your organization's data and resources on-premises and in the cloud. Connect all your users, applications, and devices to Azure AD for seamless secure access with greater visibility and control.

Azure Security Center monitoring: Currently not available

Responsibility: Customer

IM-4: Use strong authentication controls for all Azure Active Directory based access

Guidance: Azure Virtual Desktop uses Azure Active Directory (Azure AD), which supports strong authentication controls through multifactor authentication and strong passwordless methods.

• Multifactor authentication - Enable Azure AD multifactor authentication and follow Identity and Access Management recommendations from Azure Security Center for some best practices in your multifactor authentication setup. Multifactor authentication can be enforced on all, select users or at the per-user level based on sign-in conditions and risk factors.

• Passwordless authentication - Three passwordless authentication options are available: Windows Hello for Business, Microsoft Authenticator app, and on-premises authentication methods such as smart cards.

Azure Virtual Desktop supports legacy password-based authentication such as Cloud-only accounts (user accounts created directly in Azure) that have a baseline password policy or Hybrid accounts (user accounts from on-premise Azure AD which follow the on-premises password policies). When using password-based authentication, Azure AD provides a password protection capability that prevents users to set passwords that are easy to guess. Microsoft provides a global list of banned passwords that is updated based on telemetry, and customers can augment the list based on their needs (such as branding, cultural references, and so on). This password protection can be used for cloud-only and hybrid accounts.

Authentication based on password credentials alone is susceptible to popular attack methods. For higher security, use strong authentication such as multifactor authentication and a strong password policy. For third-party applications and marketplace services which may have default passwords, you should change them upon the service initial setup.

For administrator and privileged users, ensure the highest level of strong authentication methods are used, followed by rolling out the appropriate strong authentication policy to other users.

• Azure AD default password policy

Azure Security Center monitoring: Currently not available

Responsibility: Customer

IM-5: Monitor and alert on account anomalies

Guidance: Azure Virtual Desktop is integrated with Azure Active Directory (Azure AD) which provides the following data sources:

• Sign in - The sign-in report provides information about the usage of managed applications and user sign in activities.

• Audit logs - Provides traceability through logs for all changes done by various features within Azure AD. Examples of audit logs include changes made to any resources within Azure AD like adding or removing users, apps, groups, roles and policies.

• Risky sign in - A risky sign-in is an indicator for a sign-in attempt that might have been performed by someone who is not the legitimate owner of a user account.

• Users flagged for risk - A risky user is an indicator for a user account that might have been compromised.

These data sources can be integrated with Azure Monitor, Azure Sentinel or a third-party security information and event management (SIEM) systems. Azure Security Center can also alert on certain suspicious activities such as excessive number of failed authentication attempts, deprecated accounts in the subscription. Azure Advanced Threat Protection (ATP) is a security solution that can use Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions.

• Audit activity reports in the Azure AD

• Alerts in Azure Security Center's threat intelligence protection module

• How to integrate Azure Activity Logs into Azure Monitor

Azure Security Center monitoring: Currently not available

Responsibility: Customer

IM-6: Restrict Azure resource access based on conditions

Guidance: Azure Virtual Desktop supports conditional access with Azure Active Directory (Azure AD) for a granular access-control based on user-defined conditions. For example, user logins from certain IP ranges could be required to use multifactor authentication for access.

Additionally, granular authentication session management policy can also be used for different use cases.

• Azure conditional access overview

• Common conditional access policies

• Azure Virtual Desktop specific conditional access setup info can be found here

Azure Security Center monitoring: Currently not available

Responsibility: Customer

Privileged Access

For more information, see the Azure Security Benchmark: Privileged Access.

PA-2: Restrict administrative access to business-critical systems

Guidance: Azure Virtual Desktop uses Azure role-based access-control (Azure RBAC) to isolate access to business-critical systems. Ensure that you also restrict access to the management, identity, and security systems that have administrative access to your business critical access such as Active Directory Domain Controllers, security tools, and system management tools with agents installed on business-critical systems. Attackers who compromise these management and security systems can potentially immediately weaponize them to compromise business critical assets.

All types of access controls should be aligned to your enterprise segmentation strategy to ensure consistent access control.

• Azure Components and Reference model

• Management Group Access

• Minimum admin permissions needed to manage Azure Virtual Desktop

Azure Security Center monitoring: Currently not available

Responsibility: Customer

PA-3: Review and reconcile user access regularly

Guidance: Azure Virtual Desktop uses Azure Active Directory (Azure AD) accounts to manage its resources, review user accounts and access assignment regularly to ensure the accounts and their access are valid.

Use Azure AD access reviews to review group memberships, access to enterprise applications, and role assignments. Azure AD reporting can provide logs to help discover stale accounts.

In addition, Azure Privileged Identity Management can also be configured to alert when an excessive number of administrator accounts are created, and to identify administrator accounts that are stale or improperly configured.

Some Azure services support local users and roles which not managed through Azure AD. You will need to manage these users separately.

• Built-in roles for Azure Virtual Desktop

• Create an access review of Azure resource roles in Privileged Identity Management(PIM)

• How to use Azure AD identity and access reviews

Azure Security Center monitoring: Not applicable

Responsibility: Customer

PA-4: Set up emergency access in Azure AD

Guidance: Azure Virtual Desktop uses Azure Active Directory (Azure AD) to manage its resources. To prevent being accidentally locked out of your Azure AD organization, set up an emergency access account for access when normal administrative accounts cannot be used. Emergency access accounts are usually highly privileged, and they should not be assigned to specific individuals. Emergency access accounts are limited to emergency or "break glass"' scenarios where normal administrative accounts can't be used.

You should ensure that the credentials (such as password, certificate, or smart card) for emergency access accounts are kept secure and known only to individuals who are authorized to use them only in an emergency.

• Manage emergency access accounts in Azure AD

Azure Security Center monitoring: Currently not available

Responsibility: Customer

PA-5: Automate entitlement management

Guidance: Azure Virtual Desktop is integrated with Azure Active Directory (Azure AD) to manage its resources. Use Azure AD entitlement management features to automate access request workflows, including access assignments, reviews, and expirations. In additional, dual or multi-stage approvals are also supported.

• What are Azure AD access reviews

• What is Azure AD entitlement management

Azure Security Center monitoring: Currently not available

Responsibility: Customer

PA-6: Use privileged access workstations

Guidance: Secured and isolated workstations are critically important for the security of sensitive roles, such as, administrators, developers, and critical service operators. Use highly secured user workstations and/or Azure Bastion for administrative tasks.

Use Azure Active Directory (Azure AD), Azure Defender Advanced Threat Protection (ATP), or Microsoft Intune to deploy a secure and managed user workstation for administrative tasks. The secured workstation can be centrally managed to enforce secured configuration including strong authentication, software and hardware baselines, restricted logical and network access.

• Understand privileged access workstations

• Deploy a privileged access workstation

Azure Security Center monitoring: Currently not available

Responsibility: Customer

PA-7: Follow just enough administration (least privilege principle)

Guidance: Azure Virtual Desktop is integrated with Azure role-based access-control (Azure RBAC) to manage its resources. Azure RBAC allows you to manage Azure resource access through role assignments. You can assign these roles to users, groups service principals and managed identities. There are pre-defined built-in roles for certain resources, and these roles can be inventoried or queried through tools such as Azure CLI, Azure PowerShell or the Azure portal.

The privileges you assign to resources with Azure RBAC should always be limited to the ones as required by the roles. This complements the just in time (JIT) approach of Privileged Identity Management (PIM), with Azure Active Directory (Azure AD), and should be reviewed periodically.

Additionally, use built-in roles to allocate permissions and only create custom roles when required.

• What is Azure role-based access control (Azure RBAC)

• How to configure Azure RBAC

• How to use Azure AD identity and access reviews

• Built-in roles for Azure Virtual Desktop

Azure Security Center monitoring: Currently not available

Responsibility: Customer

PA-8: Choose approval process for Azure support

Guidance: In support scenarios where Azure needs to access customer data, Azure Virtual Desktop supports Customer Lockbox to provide an interface for you to review and approve or reject customer data access requests.

Azure Security Center monitoring: Not applicable

Responsibility: Shared

Data Protection

For more information, see the Azure Security Benchmark: Data Protection.

DP-1: Discovery, classify and label sensitive data

Guidance: Discover, classify, and label your sensitive data so that you can design the appropriate controls. This is to ensure sensitive information is stored, processed, and transmitted securely by the organization's technology systems.

Use Azure Information Protection (and its associated scanning tool) for sensitive information within Office documents on Azure, on-premises, Office 365 and other locations.

You can use Azure SQL Information Protection to assist in the classification and labeling of information stored in Azure SQL Databases.

• Tag sensitive information using Azure Information Protection

• How to implement Azure SQL Data Discovery

Azure Security Center monitoring: Currently not available

Responsibility: Customer

DP-2: Protect sensitive data

Guidance: Protect sensitive data by restricting access using Azure Role Based Access Control (Azure RBAC), network-based access controls, and specific controls in Azure services (such as encryption in SQL and other databases).

To ensure consistent access control, all types of access control should be aligned to your enterprise segmentation strategy. The enterprise segmentation strategy should also be informed by the location of sensitive or business critical data and systems.

Azure treats all customer content as sensitive and guards against customer data loss and exposure. To ensure customer data within Azure remains secure, Azure has implemented some default data protection controls and capabilities.

• Azure Role Based Access Control (RBAC)

• Understand customer data protection in Azure

Azure Security Center monitoring: Currently not available

Responsibility: Customer

DP-3: Monitor for unauthorized transfer of sensitive data

Guidance: Monitor for unauthorized transfer of data to locations outside of enterprise visibility and control. This typically involves monitoring for anomalous activities (large or unusual transfers) that could indicate unauthorized data exfiltration.

Advanced Threat Protection (ATP) features with both Azure Storage and Azure SQL ATP can alert on anomalous transfer of information, indicating what might be unauthorized transfers of sensitive information.

Azure Information protection (AIP) provides monitoring capabilities for information that has been classified and labeled.

Use data loss prevention solutions, such as the host-based ones, to enforce detective and/or preventative controls to prevent data exfiltration.

• Enable Azure SQL ATP

Azure Security Center monitoring: Currently not available

Responsibility: Customer

Asset Management

For more information, see the Azure Security Benchmark: Asset Management.

AM-1: Ensure security team has visibility into risks for assets

Guidance: Ensure security teams are granted Security Reader permissions in your Azure tenant and subscriptions so they can monitor for security risks using Azure Security Center.

Depending on how security team responsibilities are structured, monitoring for security risks could be the responsibility of a central security team or a local team. That said, security insights and risks must always be aggregated centrally within an organization.

Security Reader permissions can be applied broadly to an entire tenant (Root Management Group) or scoped to management groups or specific subscriptions.

Additional permissions might be required for visibility into workloads and services.

• Overview of Security Reader Role

• Overview of Azure Management Groups

Azure Security Center monitoring: Currently not available

Responsibility: Customer

AM-2: Ensure security team has access to asset inventory and metadata

Guidance: Apply tags to your Azure resources, resource groups, and subscriptions to logically organize them into a taxonomy. Each tag consists of a name and a value pair. For example, you can apply the name "Environment" and the value "Production" to all the resources in production.

Use Azure Virtual Machine Inventory to automate the collection of information about software on Virtual Machines. Software Name, Version, publisher, and Refresh time are available from the Azure portal. To get access to install date and other information, enable guest-level diagnostics and bring the Windows Event Logs into a Log Analytics Workspace.

• How to create queries with Azure Resource Graph Explorer

• Azure Security Center asset inventory management

Azure Security Center monitoring: Currently not available

Responsibility: Customer

AM-3: Use only approved Azure services

Guidance: Use Azure Policy to audit and restrict which services users can provision in your environment. Use Azure Resource Graph to query for and discover resources within their subscriptions. You can also use Azure Monitor to create rules to trigger alerts when a non-approved service is detected.

• How to configure and manage Azure Policy

• How to deny a specific resource type with Azure Policy

• How to create queries with Azure Resource Graph Explorer

Azure Security Center monitoring: Currently not available

Responsibility: Customer

AM-4: Ensure security of asset lifecycle management

Guidance: Not applicable. Azure Virtual Desktop cannot be used for ensuring security of assets in a lifecycle management process. It is the customer's responsibility to maintain attributes and network configurations of assets which are considered high-impact.

It is recommended that the customer create a process to capture the attribute and network-configuration changes, measure the change-impact and create remediation tasks, as applicable.

Azure Security Center monitoring: Not applicable

Responsibility: Customer

AM-5: Limit users' ability to interact with Azure Resource Manager

Guidance: Use Azure Conditional Access to limit users' ability to interact with Azure Resources Manager by configuring "Block access" for the "Microsoft Azure Management" App.

• How to configure Conditional Access to block access to Azure Resources Manager

Azure Security Center monitoring: Currently not available

Responsibility: Customer

Logging and Threat Detection

For more information, see the Azure Security Benchmark: Logging and Threat Detection.

LT-1: Enable threat detection for Azure resources

Guidance: Use the Azure Security Center built-in threat detection capability and enable Azure Defender (Formally Azure Advanced Threat Protection) for your Azure Virtual Desktop resources. Azure Defender for Azure Virtual Desktop provides an additional layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit your Azure Virtual Desktop resources.

Forward any logs from Azure Virtual Desktop to your security information event management (SIEM) solution which can be used to set up custom threat detections. Ensure you are monitoring different types of Azure assets for potential threats and anomalies. Focus on getting high-quality alerts to reduce false positives for analysts to sort through. Alerts can be sourced from log data, agents, or other data.

• Threat protection in Azure Security Center

• Azure Security Center security alerts reference guide

Azure Security Center monitoring: Currently not available

Responsibility: Customer

LT-2: Enable threat detection for Azure identity and access management

Guidance: Azure Active Directory (Azure AD) provides the following user logs that can be viewed in Azure AD reporting or integrated with Azure Monitor, Azure Sentinel or other security information and event management (SIEM) or monitoring tools for further sophisticated monitoring and analytics use cases:

• Sign-in - The sign-in report provides information about the usage of managed applications and user sign-in activities.

• Audit logs - Provides traceability through logs for all changes done by various features within Azure AD. Examples of audit logs include changes made to any resources within Azure AD like adding or removing users, apps, groups, roles and policies.

• Risky sign-in - A risky sign-in is an indicator for a sign-in attempt that might have been performed by someone who is not the legitimate owner of a user account.

• Users flagged for risk - A risky user is an indicator for a user account that might have been compromised.

Azure Security Center can also alert on certain suspicious activities such as excessive number of failed authentication attempts and deprecated accounts in the subscription. In addition to the basic security hygiene monitoring, the Threat Protection module in Azure Security Center can also collect more in-depth security alerts from individual Azure compute resources (virtual machines, containers, app service), data resources (SQL DB and storage), and Azure service layers. This capability allows you to have visibility on account anomalies inside the individual resources.

• Audit activity reports in the Azure Active Directory

• Threat protection in Azure Security Center

Azure Security Center monitoring: Currently not available

Responsibility: Customer

LT-3: Enable logging for Azure network activities

Guidance: Azure Virtual Desktop does not produce or process domain name service (DNS) query logs. However resources that are registered to the service can produce flow logs.

Enable and collect network security group resource and flow logs, Azure Firewall logs and Web Application Firewall (WAF) logs for security analysis to support incident investigations, threat hunting, and security alert generation. You can send the flow logs to an Azure Monitor Log Analytics workspace and then use Traffic Analytics to provide insights.

• How to enable network security group flow logs

• Azure Firewall logs and metrics

• How to enable and use Traffic Analytics

Azure Security Center monitoring: Currently not available

Responsibility: Customer

LT-4: Enable logging for Azure resources

Guidance: Activity logs, which are automatically enabled, contain all write operations (PUT, POST, DELETE) for your Azure Virtual Desktop resources except read operations (GET). Activity logs can be used to find an error when troubleshooting or to monitor how a user in your organization modified a resource.

• How to collect platform logs and metrics with Azure Monitor

• Understand logging and different log types in Azure

Azure Security Center monitoring: Currently not available

Responsibility: Shared

LT-5: Centralize security log management and analysis

Guidance: Centralize logging storage and analysis to enable correlation. For each log source, ensure you have assigned a data owner, access guidance, storage location, the tools used to process and access the data, and data retention requirements.

Ensure you are integrating Azure activity logs into your central logging. Ingest logs via Azure Monitor to aggregate security data generated by endpoint devices, network resources, and other security systems. In Azure Monitor, use Log Analytics workspaces to query and perform analytics, and use Azure Storage accounts for long term and archival storage.

In addition, enable and onboard data to Azure Sentinel or a third-party security information event management (SIEM). Many organizations choose to use Azure Sentinel for "hot" data that is used frequently and Azure Storage for "cold" data that is used less frequently.

• How to collect platform logs and metrics with Azure Monitor

Azure Security Center monitoring: Currently not available

Responsibility: Customer

Incident Response

For more information, see the Azure Security Benchmark: Incident Response.

IR-1: Preparation - update incident response process for Azure

Guidance: Ensure your organization has processes to respond to security incidents, has updated these processes for Azure, and is regularly exercising them to ensure readiness.

• Incident response reference guide

Azure Security Center monitoring: Not applicable

Responsibility: Customer

IR-2: Preparation - setup incident notification

Guidance: Set up security incident contact information in Azure Security Center. This contact information is used by Azure to contact you if the Microsoft Security Response Center (MSRC) discovers that your data has been accessed by an unlawful or unauthorized party. You also have options to customize incident alert and notification in different Azure services based on your incident response needs.

• How to set the Azure Security Center security contact

Azure Security Center monitoring: Yes

Responsibility: Customer

IR-3: Detection and analysis - create incidents based on high quality alerts

Guidance: Ensure you have a process to create high-quality alerts and measure the quality of alerts. This allows you to learn lessons from past incidents and prioritize alerts for analysts, so they don't waste time on false positives.

High-quality alerts can be built based on experience from past incidents, validated community sources, and tools designed to generate and clean up alerts by fusing and correlating diverse signal sources.

Azure Security Center provides high-quality alerts across many Azure assets. You can use the ASC data connector to stream the alerts to Azure Sentinel. Azure Sentinel lets you create advanced alert rules to generate incidents automatically for an investigation.

Export your Azure Security Center alerts and recommendations using the export feature to help identify risks to Azure resources. Export alerts and recommendations either manually or in an ongoing, continuous fashion.

• How to configure export

Azure Security Center monitoring: Currently not available

Responsibility: Customer

IR-4: Detection and analysis - investigate an incident

Guidance: Ensure analysts can query and use diverse data sources as they investigate potential incidents, to build a full view of what happened. Diverse logs should be collected to track the activities of a potential attacker across the kill chain to avoid blind spots. You should also ensure insights and learnings are captured for other analysts and for future historical reference.

The data sources for investigation include the centralized logging sources that are already being collected from the in-scope services and running systems, but can also include:

• Network data - use network security groups' flow logs, Azure Network Watcher, and Azure Monitor to capture network flow logs and other analytics information.

• Snapshots of running systems:

  • Use Azure virtual machine's snapshot capability to create a snapshot of the running system's disk.

  • Use the operating system's native memory dump capability to create a snapshot of the running system's memory.

  • Use the snapshot feature of the Azure services or your software's own capability to create snapshots of the running systems.

Azure Sentinel provides extensive data analytics across virtually any log source and a case management portal to manage the full lifecycle of incidents. Intelligence information during an investigation can be associated with an incident for tracking and reporting purposes.

• Snapshot a machine's disk

• Snapshot a Linux machine's disk

• Azure Support diagnostic information and memory dump collection

Azure Security Center monitoring: Not applicable

Responsibility: Customer

IR-5: Detection and analysis - prioritize incidents

Guidance: Provide context to analysts on which incidents to focus on first based on alert severity and asset sensitivity.

Azure Security Center assigns a severity to each alert to help you prioritize which alerts should be investigated first. The severity is based on how confident Security Center is in the finding or the analytics used to issue the alert, as well as the confidence level that there was malicious intent behind the activity that led to the alert.

Additionally, mark resources using tags and create a naming system to identify and categorize Azure resources, especially those processing sensitive data. It is your responsibility to prioritize the remediation of alerts based on the criticality of the Azure resources and environment where the incident occurred.

• Security alerts in Azure Security Center

• Use tags to organize your Azure resources

Azure Security Center monitoring: Currently not available

Responsibility: Customer

IR-6: Containment, eradication and recovery - automate the incident handling

Guidance: Automate manual repetitive tasks to speed up response time and reduce the burden on analysts. Manual tasks take longer to execute, slowing each incident and reducing how many incidents an analyst can handle. Manual tasks also increase analyst fatigue, which increases the risk of human error that causes delays, and degrades the ability of analysts to focus effectively on complex tasks. Use workflow automation features in Azure Security Center and Azure Sentinel to automatically trigger actions or run a playbook to respond to incoming security alerts. The playbook takes actions, such as sending notifications, disabling accounts, and isolating problematic networks.

• Configure workflow automation in Security Center

• Set up automated threat responses in Azure Security Center

Azure Security Center monitoring: Currently not available

Responsibility: Customer

Posture and Vulnerability Management

For more information, see the Azure Security Benchmark: Posture and Vulnerability Management.

PV-3: Establish secure configurations for compute resources

Guidance: Use Azure Security Center and Azure Policy to establish secure configurations on all compute resources including VMs, containers, and others.

You can use custom operating system images or Azure Automation State configuration to establish the security configuration of the operating system required by your organization.

• How to monitor Azure Security Center recommendations

• Azure Automation State Configuration Overview

• Azure Virtual Desktop environment

Azure Security Center monitoring: Not applicable

Responsibility: Customer

PV-4: Sustain secure configurations for compute resources

Guidance: Use Azure Security Center and Azure Policy to regularly assess and remediate configuration risks on your Azure compute resources including virtual machines, containers, and others. In addition, you may use Azure Resource Manager templates, custom operating system images or Azure Automation State Configuration to maintain the security configuration of the operating system required by your organization. The Azure virtual machine templates combined with the Azure Automation State Configuration may assist in meeting and maintaining the security requirements.

Azure Marketplace Virtual Machine Images published by Azure are managed and maintained by Microsoft.

Azure Security Center can also scan vulnerabilities in container image and performs continuous monitoring of your Docker configuration in containers against Center Internet Security's Docker benchmark. You can use the Azure Security Center recommendations page to view recommendations and remediate issues.

• How to create an Azure Virtual Machine from an ARM template

• Azure Automation State Configuration Overview

• Container security in Security Center

Azure Security Center monitoring: Not applicable

Responsibility: Customer

PV-5: Securely store custom operating system and container images

Guidance: Azure Virtual Desktop allows customers to manage operating system images. Use Azure role-based access control (Azure RBAC) to ensure that only authorized users can access your custom images. Use an Azure Shared Image Gallery you can share your images to different users, service principals, or Active Directory groups within your organization. Store container images in Azure Container Registry and use RBAC to ensure that only authorized users have access.

• Understand Azure RBAC

• How to configure Azure RBAC

• Shared Image Gallery overview

Azure Security Center monitoring: Not applicable

Responsibility: Customer

PV-6: Perform software vulnerability assessments

Guidance: Azure Virtual Desktop allows you to deploy your own virtual machines and register them to the service as well as have SQL database running in the environment.

Azure Virtual Desktop can use a third-party solution for performing vulnerability assessments on network devices and web applications. When conducting remote scans, do not use a single, perpetual, administrative account. Consider implementing JIT provisioning methodology for the scan account. Credentials for the scan account should be protected, monitored, and used only for vulnerability scanning.

As require, export scan results at consistent intervals and compare the results with previous scans to verify that vulnerabilities have been remediated.

Follow recommendations from Azure Security Center for performing vulnerability assessments on your Azure virtual machines (and SQL servers). Azure Security Center has a built-in vulnerability scanner for virtual machine, container images, and SQL database.

As required, export scan results at consistent intervals and compare the results with previous scans to verify that vulnerabilities have been remediated. When using vulnerability management recommendations suggested by Azure Security Center, you can pivot into the selected solution's portal to view historical scan data.

• SQL vulnerability assessment

Azure Security Center monitoring: Not applicable

Responsibility: Customer

PV-7: Rapidly and automatically remediate software vulnerabilities

Guidance: Azure Virtual Desktop doesn't use or require any third-party software. However, Azure Virtual Desktop allows you to deploy your own virtual machines and register them to the service.

Use Azure Automation Update Management or a third-party solution to ensure that the most recent security updates are installed on your Windows Server virtual machines. For Windows virtual machines, ensure Windows Update has been enabled and set to update automatically.

Use a third-party patch management solution for third-party software or System Center Updates Publisher for Configuration Manager.

• How to configure Update Management for virtual machines in Azure

• Manage updates and patches for your Azure VMs

• Configure Microsoft Endpoint Configuration Manager for Azure Virtual Desktop

Azure Security Center monitoring: Not applicable

Responsibility: Customer

PV-8: Conduct regular attack simulation

Guidance: Azure Virtual Desktop does not allow customers to perform their own penetration testing on their Azure Virtual Desktop resources.

Azure Security Center monitoring: Not applicable

Responsibility: Shared

Endpoint Security

For more information, see the Azure Security Benchmark: Endpoint Security.

ES-1: Use Endpoint Detection and Response (EDR)

Guidance: Azure Virtual Desktop does not provide any specific capabilities for endpoint detection and response (EDR) processes. However resources registered to the service can benefit from endpoint detection and response capabilities.

Enable endpoint detection and response capabilities for servers and clients and integrate them with security information and event management (SIEM) solutions and Security Operations processes.

Advanced Threat Protection from Microsoft Defender provides Endpoint Detection and Response capabilities, as part of an enterprise endpoint security platform to prevent, detect, investigate, and respond to advanced threats.

• Microsoft Defender Advanced Threat Protection Overview

• Microsoft Defender ATP service for Windows servers

• Microsoft Defender ATP service for non-Windows servers

• Microsoft Defender ATP for non-persistent virtual desktop infrastructure

Azure Security Center monitoring: Currently not available

Responsibility: Customer

ES-2: Use centrally managed modern anti-malware software

Guidance: Protect your Azure Virtual Desktop resources with a centrally managed and modern endpoint anti-malware solution capable of real time and periodic scanning.

Azure Security Center can automatically identify the use of a number of popular anti-malware solutions for your virtual machines and report the endpoint protection running status and make recommendations.

Microsoft Antimalware for Azure Cloud Services is the default anti-malware for Windows virtual machines (VMs). Also, you can use Threat detection with Azure Security Center for data services to detect malware uploaded to Azure Storage accounts.

• How to configure Microsoft Antimalware for Cloud Services and Virtual Machines

• Supported endpoint protection solutions

Azure Security Center monitoring: Currently not available

Responsibility: Customer

ES-3: Ensure anti-malware software and signatures are updated

Guidance: Ensure anti-malware signatures are updated rapidly and consistently.

Follow recommendations in Azure Security Center: "Compute & Apps" to ensure all virtual machines and/or containers are up to date with the latest signatures.

Microsoft Antimalware will automatically install the latest signatures and engine updates by default.

• How to deploy Microsoft Antimalware for Azure Cloud Services and Virtual Machines

• Endpoint protection assessment and recommendations in Azure Security Center

Azure Security Center monitoring: Currently not available

Responsibility: Customer

Backup and Recovery

For more information, see the Azure Security Benchmark: Backup and Recovery.

BR-1: Ensure regular automated backups

Guidance: Ensure you are backing up systems and data to maintain business continuity after an unexpected event. This should be guidance by any objectives for Recovery Point Objective (RPO) and Recovery Time Objective (RTO).

Enable Azure Backup and configure the backup source (e.g. Azure VMs, SQL Server, HANA databases, or File Shares), as well as the desired frequency and retention period.

For a higher level of redundancy, you can enable geo-redundant storage option to replicate backup data to a secondary region and recover using cross region restore.

• How to enable Azure Backup

• How to enable cross region restore

• How to set up a business continuity and disaster recovery plan in Azure Virtual Desktop

Azure Security Center monitoring: Currently not available

Responsibility: Customer

BR-2: Encrypt backup data

Guidance: Ensure your backups are protect against attacks. This should include encryption of the backups to protect against loss of confidentiality.

For regular Azure service backup, backup data is automatically encrypted using Azure platform-managed keys. You can choose to encrypt the backup using customer-managed key. In this case, ensure this customer-managed key in the key vault is also in the backup scope.

Use role-based access control in Azure Backup, Azure Key Vault, or other resources to protect backups and customer-managed keys. Additionally, you can enable advanced security features to require multifactor authentication before backups can be altered or deleted.

Overview of security features in Azure Backup https://docs.azure.cn/backup/security-overview

• Encryption of backup data using customer-managed keys

• How to backup Key Vault keys in Azure

• Security features to help protect hybrid backups from attacks

Azure Security Center monitoring: Currently not available

Responsibility: Customer

BR-3: Validate all backups including customer-managed keys

Guidance: It is recommended to validate data integrity on backup media on a regular basis by performing a data restoration process to ensure that the backup is properly working.

• How to recover files from Azure Virtual Machine backup

• Security implementation

Azure Security Center monitoring: Currently not available

Responsibility: Customer

Governance and Strategy

For more information, see the Azure Security Benchmark: Governance and Strategy.

GS-1: Define asset management and data protection strategy

Guidance: Ensure you document and communicate a clear strategy for continuous monitoring and protection of systems and data. Prioritize discovery, assessment, protection, and monitoring of business-critical data and systems.

This strategy should include documented guidance, policy, and standards for the following elements:

• Data classification standard in accordance with the business risks

• Security organization visibility into risks and asset inventory

• Security organization approval of Azure services for use

• Security of assets through their lifecycle

• Required access control strategy in accordance with organizational data classification

• Use of Azure native and third party data protection capabilities

• Data encryption requirements for in-transit and at-rest use cases

• Appropriate cryptographic standards

For more information, see the following references:

• Azure Security Fundamentals - Azure Data security, encryption, and storage

• Cloud Adoption Framework - Azure data security and encryption best practices

• Azure Security Benchmark - Asset management

• Azure Security Benchmark - Data Protection

Azure Security Center monitoring: Not applicable

Responsibility: Customer

GS-2: Define enterprise segmentation strategy

Guidance: Establish an enterprise-wide strategy to segmenting access to assets using a combination of identity, network, application, subscription, management group, and other controls.

Carefully balance the need for security separation with the need to enable daily operation of the systems that need to communicate with each other and access data.

Ensure that the segmentation strategy is implemented consistently across control types including network security, identity and access models, and application permission/access models, and human process controls.

• Guidance on segmentation strategy in Azure (video)

• Guidance on segmentation strategy in Azure (document)

• Align network segmentation with enterprise segmentation strategy

Azure Security Center monitoring: Not applicable

Responsibility: Customer

GS-3: Define security posture management strategy

Guidance: Continuously measure and mitigate risks to your individual assets and the environment they are hosted in. Prioritize high value assets and highly-exposed attack surfaces, such as published applications, network ingress and egress points, user and administrator endpoints, etc.

• Azure Security Benchmark - Posture and vulnerability management

Azure Security Center monitoring: Not applicable

Responsibility: Customer

GS-5: Define network security strategy

Guidance: Establish an Azure network security approach as part of your organization's overall security access control strategy.

This strategy should include documented guidance, policy, and standards for the following elements:

• Centralized network management and security responsibility

• Virtual network segmentation model aligned with the enterprise segmentation strategy

• Remediation strategy in different threat and attack scenarios

• Internet edge and ingress and egress strategy

• Hybrid cloud and on-premises interconnectivity strategy

• Up-to-date network security artifacts (e.g. network diagrams, reference network architecture)

For more information, see the following references:

• Azure Security Benchmark - Network Security

• Azure network security overview

Azure Security Center monitoring: Not applicable

Responsibility: Customer

GS-6: Define identity and privileged access strategy

Guidance: Establish an Azure identity and privileged access approaches as part of your organization's overall security access control strategy.

This strategy should include documented guidance, policy, and standards for the following elements:

• A centralized identity and authentication system and its interconnectivity with other internal and external identity systems

• Strong authentication methods in different use cases and conditions

• Protection of highly privileged users

• Anomaly user activities monitoring and handling

• User identity and access review and reconciliation process

For more information, see the following references:

• Azure Security Benchmark - Identity management

• Azure Security Benchmark - Privileged access

• Azure identity management security overview

Azure Security Center monitoring: Not applicable

Responsibility: Customer

GS-7: Define logging and threat response strategy

Guidance: Establish a logging and threat response strategy to rapidly detect and remediate threats while meeting compliance requirements. Prioritize providing analysts with high-quality alerts and seamless experiences so that they can focus on threats rather than integration and manual steps.

This strategy should include documented guidance, policy, and standards for the following elements:

• The security operations (SecOps) organization's role and responsibilities

• A well-defined incident response process aligning with NIST or another industry framework

• Log capture and retention to support threat detection, incident response, and compliance needs

• Centralized visibility of and correlation information about threats, using SIEM, native Azure capabilities, and other sources

• Communication and notification plan with your customers, suppliers, and public parties of interest

• Use of Azure native and third-party platforms for incident handling, such as logging and threat detection, forensics, and attack remediation and eradication

• Processes for handling incidents and post-incident activities, such as lessons learned and evidence retention

For more information, see the following references:

• Azure Security Benchmark - Logging and threat detection

• Azure Security Benchmark - Incident response

Azure Security Center monitoring: Not applicable

Responsibility: Customer

Next steps

• See the Azure Security Benchmark V2 overview
• Learn more about Azure security baselines