Forum Discussion

Admin O365's avatar
Admin O365
Brass Contributor
Feb 17, 2021

Jumphost Questions?

Environment: Hub - Spoke Environment in Azure

Jumphost: Will provision Windows based VM and not WVD (customer request)

 

Questions:

a) Should Jumphost be hosted in Hub or can be hosted in the individual Spokes for access allowed to specific subscription (spokes)?

b) How can we control users not to install applications on Jumphosts besides the required applications?

c) What recommendation to allow JumpHost hardening?

d) any specific pre-baked Security policy related to Jumphost?

 

jumphost
  • ibnmbodji's avatar
    ibnmbodji
    Mar 07, 2021

    Hi since you are in an Hub and Spoke Topology the jumphost need to be on Hub (central operations ) and you can limit the incoming authorized requests either with network security groups either by using azure firewall or network virtual appliance of your choice .
    If the virtual machine is domain joined you can simply restrict administrative access and leverage app locker policies in Group Policy Objects .
    Since it's a Iaas workload the first thing to do is implement security best practice fundamentals
    https://docs.microsoft.com/en-us/azure/security/fundamentals/iaas
    There a many builtin policies in Azure Security Center now Azure defender to prevent detect and respond to threats to your Vms.
    https://docs.microsoft.com/en-us/azure/virtual-machines/security-policy

    Tips : Your Jumphost does'nt need to have Public IP , you can create a DNAT rule and leverage the public IP of your firewall . 

  • ibnmbodji's avatar
    ibnmbodji
    Steel Contributor
    Mar 07, 2021

    Hi since you are in an Hub and Spoke Topology the jumphost need to be on Hub (central operations ) and you can limit the incoming authorized requests either with network security groups either by using azure firewall or network virtual appliance of your choice .
    If the virtual machine is domain joined you can simply restrict administrative access and leverage app locker policies in Group Policy Objects .
    Since it's a Iaas workload the first thing to do is implement security best practice fundamentals
    https://docs.microsoft.com/en-us/azure/security/fundamentals/iaas
    There a many builtin policies in Azure Security Center now Azure defender to prevent detect and respond to threats to your Vms.
    https://docs.microsoft.com/en-us/azure/virtual-machines/security-policy

    Tips : Your Jumphost does'nt need to have Public IP , you can create a DNAT rule and leverage the public IP of your firewall . 

Resources