Securing Windows Virtual Desktop

November 27, 2020

IT leaders and security professionals are under increased pressure to keep everyone productive and connected, all while preventing evolving threats.

With Windows Virtual Desktop, you can deliver a full Windows experience to your workers, whether on-premise or remote, through the cloud. 

Although setting up a Virtual Machine host for Windows Virtual Desktop may easy, factoring in security takes more time. To help select and configure the proper security controls for your company, we’ve come up with some best practices for securing Windows Virtual Desktop.   

1. Stay current with patching
Software updates and patches are a great way to cover your security flaws, protect your data and add new features. With WVD, virtual machines can be updated via Microsoft Endpoint Manager (Intune), which automates system and security updates. Or, you could redeploy a fresh image from Microsoft’s gallery every month to automatically rebuild each virtual machine with an updated and secure image.

2. Use Security Baselines
Security baselines give companies the recommended configuration settings to improve their security posture. Instead of the ‘out of box’ Windows defaults, these baselines are secured, based on feedback from Microsoft security engineering teams, product groups, partners, and customers. The security baselines are included in the Security Compliance Toolkit, which can be downloaded from the Microsoft Download Center. 

3. Manage Permissions
Limiting access to virtual desktops and restricting the installation of new software will help improve your company’s overall security posture. If users do need new or updated software packages, they can be delivered through configuration management utilities like Microsoft Endpoint Manager.  

4. Secure User Identities
Given the frequency of passwords being guessed, phished, stolen and reused, it's critical that passwords come with strong credentials. Multifactor Authentication is recommended for all users accessing Windows Virtual Desktop. Read more about Multifactor Authentication in our blog. 

5. Secure the Network
Securing the network provides another level of protection. With WVD you can do this through Network Security Groups, where you can set limits on which subnets/ports can access the Windows Virtual Desktop VMs. Service Tags are another great way to secure the network, ensuring your configurations are current when Microsoft makes changes to their data centers’ IP addresses.

6. Secure your Data
To minimize data loss, restrict users from downloading and saving work files to a home PCor other non-work devices. Windows Virtual Desktop’s policy settings can allow or block redirecting drives, printers, and USB devices to a user's local device in a remote desktop session. Similarly, you can limit users’ permissions for accessing local and remote file systems. For instance, grant them only access to save files to their own OneDrive. The benefit? Users can only access what they need and can't change or delete critical resources. 

Set time limits
Setting time limits will ensure that unauthorized users cannot access idle devices. Consider adding limits on the following: 

  • Locking screens on idle sessions | WVD has settings to lock a machine's screen during idle time and require authentication to unlock it. This can prevent unwanted system access by unauthorized users.
  • Active, but idle sessions | If a user is idle for a set amount of time, the session can be set to When the user returns, they will reconnect and continue where they left off with no data loss. 
  • Disconnected sessions | If a user is idle for an even longer time, WVD can log the user off and terminate the session. This saves costs by allowing an idle VM to be shut down. 

Following these best practices will strengthen your Windows Virtual Desktop environment and decrease your chance of user or adversarial-induced problems. Save yourself the headache by planning or improving security configurations now.  

Learn More

Tags: security Microsoft 365 Azure

Search By Tags

see all

Follow Us