The concept of secure browser isolation and Hardware\OS isolation has been raised a few times in relation to Windows Virtual Desktop (WVD). I thought it would be prudent to delve into a bit of detail on the security possibility’s and to mention a analogy I came up with to assist with explaining how Reverse Connect works. I will also cover the benefits for businesses wanting to adopt a secure access/isolation solution (modernised cloud Work-space) using Windows Virtual Desktop as their platform of choice.
A big FYI….. This is great for all those using Windows 7 legacy applications and would like to use Remoteapp to deliver applications securely to mobile and office based devices.
If you want to find out more on how Reverse connect works, please see my previous article: https://ryanmangansitblog.com/2019/11/09/a-deep-dive-in-to-windows-virtual-desktop-reverse-connect/
The Fish Tank Analogy:
When connecting to Windows Virtual Desktop, you would typically have a client (windows 10 in this example) with the Remote Desktop Client installed. When loading the RD client application and entering in the correct user credentials that are provided to you, a list of resources will become available to you through a configured WVD Tenant. When clicking the resource (desktop/Remoteapp) you will be prompted to login with your domain credentials and the app/desktop will load within the RD client.
So when connecting to a WVD resource (Environment), you are essentially connecting to a RD secure gateway via a secure tunnel ( TCP SSL connection using TLS (UDP is coming). see my blog on Reverse connect. This method is sometimes called pixel streaming. In essence, you are provided with a visual display of a remote resource through the use of the Remote desktop client with no direct access to said resource. Normal mouse and keyboard operations and general user experience behave normally like all other VDI solutions & products. Other features like redirection can be enabled allowing local disk drives and other storage devices to appear as well as printers and USB peripherals.
As shown in the image above, The local device never connects (directly) to the virtual machines or resources stored within Microsoft’s Azure Data centers. Two tunnels are created through the RD Gateway built into Microsoft’s Windows Virtual Desktop management plane. One from the client side and the second from the IaaS Azure side. The two (Client/Server) connections both terminate at the gateway. The Gateway handles the streaming of the remote resource and nether connection ever meet. This is Reverse Connect. The only way to transfer files is through redirection which can be disabled allowing us to achieve secure isolation.
In summary, the local device is not able to obtain direct access to the WVD infrastructure held within Microsoft Azure and the desktop / application delivery is essentially presented via pixel streaming. You are effectively controlling the input and output operations through a “Fish Tank”
- Before we can achieve secure isolation we need to consider the following factors: no USB/Storage/or printer redirect can be enabled. You must disable the ability to send and receive data via USB/other from the WVD environment. No access to or from the environment from an unsecure location.
- You need to ensure the IaaS WVD infrastructure is secured via Azure NSG’s. This means locking down the ability to access external systems or web services which enable the ability to enter a secure system.
- You would need to enable Azure’s Standard pricing for Azure Security center and follow the guidance to comply with standards like ISO27001.
- Use a secure firewall that blocks and monitors traffic to prevent data entering or leaving the secure environment.
- use Microsoft’s Azure Bastion to manage and control services aka Servers in Azure.
This would provide you with a contained secure environment allowing users to work internally with no external access and ensuring that data cannot leave the secure environment unless authorised under a controlled process.
The “Fish Tank” analogy describes the secure connectivity of Reverse Connect. Meaning, the client never connects directly to the infrastructure located within Azure. The connection is terminated at the gateway and a second connection is created from the WVD back plane to the Azure IaaS. This creates new possibilities for those who want true secure remote access as well as those special organisations out there who wish to achieve true isolation.