SOLVED

Jumphost Questions?

%3CLINGO-SUB%20id%3D%22lingo-sub-2141487%22%20slang%3D%22en-US%22%3EJumphost%20Questions%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2141487%22%20slang%3D%22en-US%22%3E%3CP%3EEnvironment%3A%20Hub%20-%20Spoke%20Environment%20in%20Azure%3C%2FP%3E%3CP%3EJumphost%3A%20Will%20provision%20Windows%20based%20VM%20and%20not%20WVD%20(customer%20request)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EQuestions%3A%3C%2FP%3E%3CP%3Ea)%20Should%20Jumphost%20be%20hosted%20in%20Hub%20or%20can%20be%20hosted%20in%20the%20individual%20Spokes%20for%20access%20allowed%20to%20specific%20subscription%20(spokes)%3F%3C%2FP%3E%3CP%3Eb)%20How%20can%20we%20control%20users%20not%20to%20install%20applications%20on%20Jumphosts%20besides%20the%20required%20applications%3F%3C%2FP%3E%3CP%3Ec)%20What%20recommendation%20to%20allow%20JumpHost%20hardening%3F%3C%2FP%3E%3CP%3Ed)%20any%20specific%20pre-baked%20Security%20policy%20related%20to%20Jumphost%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2141487%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Ejumphost%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2191339%22%20slang%3D%22en-US%22%3ERe%3A%20Jumphost%20Questions%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2191339%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20since%20you%20are%20in%20an%20Hub%20and%20Spoke%20Topology%20the%20jumphost%20need%20to%20be%20on%20Hub%20(central%20operations%20)%20and%20you%20can%20limit%20the%20incoming%20authorized%20requests%20either%20with%20network%20security%20groups%20either%20by%20using%20azure%20firewall%20or%20network%20virtual%20appliance%20of%20your%20choice%20.%3CBR%20%2F%3EIf%20the%20virtual%20machine%20is%20domain%20joined%20you%20can%20simply%20restrict%20administrative%20access%20and%20leverage%20app%20locker%20policies%20in%20Group%20Policy%20Objects%20.%3CBR%20%2F%3ESince%20it's%20a%20Iaas%20workload%20the%20first%20thing%20to%20do%20is%20implement%20security%20best%20practice%20fundamentals%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity%2Ffundamentals%2Fiaas%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity%2Ffundamentals%2Fiaas%3C%2FA%3E%3CBR%20%2F%3EThere%20a%20many%20builtin%20policies%20in%20Azure%20Security%20Center%20now%20Azure%20defender%20to%20prevent%20detect%20and%20respond%20to%20threats%20to%20your%20Vms.%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-machines%2Fsecurity-policy%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-machines%2Fsecurity-policy%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3ETips%20%3A%20Your%20Jumphost%20does'nt%20need%20to%20have%20Public%20IP%20%2C%20you%20can%20create%20a%20DNAT%20rule%20and%20leverage%20the%20public%20IP%20of%20your%20firewall%20.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Frequent Contributor

Environment: Hub - Spoke Environment in Azure

Jumphost: Will provision Windows based VM and not WVD (customer request)

 

Questions:

a) Should Jumphost be hosted in Hub or can be hosted in the individual Spokes for access allowed to specific subscription (spokes)?

b) How can we control users not to install applications on Jumphosts besides the required applications?

c) What recommendation to allow JumpHost hardening?

d) any specific pre-baked Security policy related to Jumphost?

 

1 Reply
best response confirmed by Admin O365 (Frequent Contributor)
Solution

Hi since you are in an Hub and Spoke Topology the jumphost need to be on Hub (central operations ) and you can limit the incoming authorized requests either with network security groups either by using azure firewall or network virtual appliance of your choice .
If the virtual machine is domain joined you can simply restrict administrative access and leverage app locker policies in Group Policy Objects .
Since it's a Iaas workload the first thing to do is implement security best practice fundamentals
https://docs.microsoft.com/en-us/azure/security/fundamentals/iaas
There a many builtin policies in Azure Security Center now Azure defender to prevent detect and respond to threats to your Vms.
https://docs.microsoft.com/en-us/azure/virtual-machines/security-policy

Tips : Your Jumphost does'nt need to have Public IP , you can create a DNAT rule and leverage the public IP of your firewall .