WVD in high-security environments

%3CLINGO-SUB%20id%3D%22lingo-sub-1552834%22%20slang%3D%22en-US%22%3EWVD%20in%20high-security%20environments%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1552834%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20there%20a%20list%20of%20definitive%20permissions%20published%20somewhere%20(Fall%20and%20Spring%20releases)%20detailing%20exactly%20what%20permissions%20are%20required%20for%20WVD%2C%20both%20from%20a%20provisioning-%20and%20operational%26nbsp%3Bpoint-of-view%3F%20I%20have%20a%20large%20high-security%20client%20where%20functions%20are%20separated%2C%20in%20other%20words%2C%20security%20is%20handled%20by%20a%20completely%20different%20team%2C%20projects%20by%20an%20unrelated%20project%20team%20who%20hands%20over%20to%20the%20operational%20teams.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20a%20previous%20deployment%2C%20using%20the%20Fall%202019%20version%2C%20I%20was%20able%20to%20determine%20the%20following%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3ESecurity%20team%20to%20create%20RDS%20tenant%20as%20this%20will%20not%20be%20delegated%2C%3C%2FLI%3E%3CLI%3ERDS%20Contributor%20assigned%20to%20project%20team%20(which%20was%20the%20lowest%20supported%20permissions)%2C%3C%2FLI%3E%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Frole-based-access-control%2Fresource-provider-operations%23microsoftnetwork%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMicrosoft.Network%3C%2FA%3E%3CSPAN%3E%2FvirtualNetworks%2F%3CSTRONG%3EWRITE%3C%2FSTRONG%3E%20permissions%20to%20join%20virtual%20machines%20to%20network%20(I%20think%20this%20related%20to%20an%20issue%20in%20the%20ARM%20template%20but%20is%20problematic)%2C%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3EActive%20Directory%20create%20computer%20object%26nbsp%3B(or%20rather%20domain%20join)%20permissions%2C%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3EOwner%20permission%20required%20to%20write%20captured%20images%20to%20the%20Shared%20Gallery.%3C%2FSPAN%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%3CSPAN%3EMy%20deployment%20stopped%20at%20the%20last%20point%20as%20the%20security%20team%20asked%20for%20a%20full%20list%20of%20all%20the%20permissions%20required%20as%20they%20are%20not%20able%20to%20entertain%20back-and-forth%20requests.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThanks%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Is there a list of definitive permissions published somewhere (Fall and Spring releases) detailing exactly what permissions are required for WVD, both from a provisioning- and operational point-of-view? I have a large high-security client where functions are separated, in other words, security is handled by a completely different team, projects by an unrelated project team who hands over to the operational teams.

 

In a previous deployment, using the Fall 2019 version, I was able to determine the following:

 

  • Security team to create RDS tenant as this will not be delegated,
  • RDS Contributor assigned to project team (which was the lowest supported permissions),
  • Microsoft.Network/virtualNetworks/WRITE permissions to join virtual machines to network (I think this related to an issue in the ARM template but is problematic),
  • Active Directory create computer object (or rather domain join) permissions,
  • Owner permission required to write captured images to the Shared Gallery.

My deployment stopped at the last point as the security team asked for a full list of all the permissions required as they are not able to entertain back-and-forth requests.

 

Thanks

0 Replies