cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
jebeling
Employee
Employee
Report Inappropriate Content
Message 1 of 2
‎02-02-2022 01:22 PM

What Bypasses are Needed to use Azure Windows Virtual Desktop in a UCE Positive Security Model

Jump to solution

Some security conscious customers may wish to implement a positive security model where everything is blocked other than that which is explicitly allowed. This is very challenging in today's cloud focused world where authentication is often separated from service delivery and where multiple sites are used to deliver a single web page or service and where some services can be accessed via application specific client or web browser. Application specific clients also introduce the challenge of certificate pinning, use and use of background processes accessing the web with a system user rather than the logged in user.

A true positive security model invariably results in a game of "whack a mole" to identify every site, url, user-agent, and or process name (if even available) to allow in order to make a specific application or service work. As such most, if not all, cloud proxies are designed  and architected with a negative, or at best hybrid positive and negative security model in mind. UCE is architected as a hybrid and allows use of either described option, or even a pure positive security model.

What is a web administrator to do when asked to continue to implement a positive security model and still allow access to Azure Windows Virtual Desktop only for an authorized set of users?

 

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as a Solution and/or Kudo my reply so we can help other community participants?
0 Kudos
Reply
1 Solution

Accepted Solutions
jebeling
Employee
Employee
Report Inappropriate Content
Message 2 of 2
‎02-02-2022 01:23 PM

Re: What Bypasses are Needed to use Azure Windows Virtual Desktop in a UCE Positive Security Model

Jump to solution

Answer being formulated I've already made this work by process names for the client and by domains for web access. 😉

Urls and domains that must be allowed to use the web interface. Recommend using global bypass for wvd sites scoped by users/groups allowed to use Azure Virtual Desktop. If not global bypass, at least decryption bypass except for login sites which need to be allowed and decrypted if you wish to enforce tenant restrictions..

  • Any hosts or domains to reach your IdP
  • Hosts or domains associated with login to your Azure environment (likely login.microsoftonline.com at a minimum)
  • All hosts in the domain wvd.microsoft.com
  • All hosts in the domain prod.do.dsp.mp.microsoft.com

For simplicity of testing I implemented my positive security model in Web Filtering which means I would be decrypting WVD traffic which is pointless and adds latency. I highly recommend bypassing wvd.microsoft.com domain with global bypass in a production implementation.

WVDWeb1.PNG

  Implementing positive security model with web filtering, block all categories and block uncategorized.

WVDWeb2.PNG

 

Processes to bypass if you want to use the client. Recommend using global bypass by process scoped by users/groups allowed to use Azure Virtual Desktop. (In order to subscribe the client you will also need access to the subscription URL (domain wvd.microsoft.com) and login.microsoftonline.com and aacdn.msftauth.net)

  • microsoft.aad.brokerplugin.exe
  • msrdcw.exe
  • msrdc.exe

WVDClient.PNG

 

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as a Solution and/or Kudo my reply so we can help other community participants?

View solution in original post

0 Kudos
Reply
1 Reply
jebeling
Employee
Employee
Report Inappropriate Content
Message 2 of 2
‎02-02-2022 01:23 PM

Re: What Bypasses are Needed to use Azure Windows Virtual Desktop in a UCE Positive Security Model

Jump to solution

Answer being formulated I've already made this work by process names for the client and by domains for web access. 😉

Urls and domains that must be allowed to use the web interface. Recommend using global bypass for wvd sites scoped by users/groups allowed to use Azure Virtual Desktop. If not global bypass, at least decryption bypass except for login sites which need to be allowed and decrypted if you wish to enforce tenant restrictions..

  • Any hosts or domains to reach your IdP
  • Hosts or domains associated with login to your Azure environment (likely login.microsoftonline.com at a minimum)
  • All hosts in the domain wvd.microsoft.com
  • All hosts in the domain prod.do.dsp.mp.microsoft.com

For simplicity of testing I implemented my positive security model in Web Filtering which means I would be decrypting WVD traffic which is pointless and adds latency. I highly recommend bypassing wvd.microsoft.com domain with global bypass in a production implementation.

WVDWeb1.PNG

  Implementing positive security model with web filtering, block all categories and block uncategorized.

WVDWeb2.PNG

 

Processes to bypass if you want to use the client. Recommend using global bypass by process scoped by users/groups allowed to use Azure Virtual Desktop. (In order to subscribe the client you will also need access to the subscription URL (domain wvd.microsoft.com) and login.microsoftonline.com and aacdn.msftauth.net)

  • microsoft.aad.brokerplugin.exe
  • msrdcw.exe
  • msrdc.exe

WVDClient.PNG

 

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as a Solution and/or Kudo my reply so we can help other community participants?
0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC