Feb 16 2021 07:33 PM
Environment: Hub - Spoke Environment in Azure
Jumphost: Will provision Windows based VM and not WVD (customer request)
Questions:
a) Should Jumphost be hosted in Hub or can be hosted in the individual Spokes for access allowed to specific subscription (spokes)?
b) How can we control users not to install applications on Jumphosts besides the required applications?
c) What recommendation to allow JumpHost hardening?
d) any specific pre-baked Security policy related to Jumphost?
Mar 07 2021 03:49 AM - edited Mar 07 2021 03:52 AM
SolutionHi since you are in an Hub and Spoke Topology the jumphost need to be on Hub (central operations ) and you can limit the incoming authorized requests either with network security groups either by using azure firewall or network virtual appliance of your choice .
If the virtual machine is domain joined you can simply restrict administrative access and leverage app locker policies in Group Policy Objects .
Since it's a Iaas workload the first thing to do is implement security best practice fundamentals
https://docs.microsoft.com/en-us/azure/security/fundamentals/iaas
There a many builtin policies in Azure Security Center now Azure defender to prevent detect and respond to threats to your Vms.
https://docs.microsoft.com/en-us/azure/virtual-machines/security-policy
Tips : Your Jumphost does'nt need to have Public IP , you can create a DNAT rule and leverage the public IP of your firewall .
Mar 07 2021 03:49 AM - edited Mar 07 2021 03:52 AM
SolutionHi since you are in an Hub and Spoke Topology the jumphost need to be on Hub (central operations ) and you can limit the incoming authorized requests either with network security groups either by using azure firewall or network virtual appliance of your choice .
If the virtual machine is domain joined you can simply restrict administrative access and leverage app locker policies in Group Policy Objects .
Since it's a Iaas workload the first thing to do is implement security best practice fundamentals
https://docs.microsoft.com/en-us/azure/security/fundamentals/iaas
There a many builtin policies in Azure Security Center now Azure defender to prevent detect and respond to threats to your Vms.
https://docs.microsoft.com/en-us/azure/virtual-machines/security-policy
Tips : Your Jumphost does'nt need to have Public IP , you can create a DNAT rule and leverage the public IP of your firewall .