Windows 365 – the revolutionary new virtualization solution (Part 6 – Windows 365 security)

In this blog post I give you my thoughts about Windows 365 and security aspects.

This blog series contains the following articles (the links will be updated, once the articles are released).

This blog contains the following sections:

Is Windows 365 hackable or already hacked?

I am pretty sure you’ve already heard or read it – only a few days or hours after the Windows 365 release there was a big scream like “OMG Microsoft, it is easy to steal credentials from a Windows 365 CloudPC!“. So this is the best way for me to start this artile. Catch up the news that are already very focused by press and media.

No discussion, it IS possible with an attack to steal the RDP credentials. That is not a Windows365-only problem, it is an RDP problem. You want to know how? It is very easy. Some good articles about it:

See the original post on Twitter about that.

Bad news. Looks like this PC did not have inherited security settings like any company should have. With basic Endpoint security settings, I could not reproduce that.

How should you react to this? Should you stop using Windows 365? No you should not. Why? Because you can (and must) take actions to prevent attacks. With Windows 365 that is nothing different to any other client PC. Windows 365 is software and software has bugs. And security holes. Believe it or not, also Linux, BSD, macOS and all the others have these. Not everyone of the troll-scene wants to believe that but this is reality. The question is how the vendor handles that and this is where Microsoft can act and close this soon. They have done this in the past with other critical issues, too. See Microsoft fixes actively exploited Exchange zero-day bugs, patch now (bleepingcomputer.com) as an example.

There are some do’s and dont’s:

(do) play around with Mimikatz. I highly recommend this! This is the only way to learn about your system and to test if you could close the vulnerability.
(don’t) cry that Microsoft has’nt fixed it yet and shout our everywhere “Microsoft develops unsecure software!”. This is the worst thing you can do: behave like a troll. Imaging this situation: You build a house for you and your family. The front door you’ve ordered is delivered with a wrong key. What do you do? Stand in front of your house and cry and shout out for several weeks “my vendor has delivered an unsecure front door!” ? No you don’t. You will do anything to work around it. For example install a camera to monitor suspicious activity. So:
(do) secure your CloudPCs!
(don’t) stop considering Windows 365. Even if it is not perfect in all aspects (which software is perfect except Notepad and Minesweeper? 😉 ), stopping thinking about it and possible use cases will prevent you in going forward. Look how terrible digitalization in Germany is – how terrible the broadband is here. That is because of people stopping to look at new technologies (and other things of course, but that is not the topic now).

No matter of the exploit above, always keep in mind that RDP is vulnerable and Remote Desktop Vulnerabilities: What You Need to Know – Cybersecurity Insiders (cybersecurity-insiders.com).

Inbetween the bad RDP news (which aren’t really news but often well-ignored facts), keep in mind that the connection isn’t established via the vulnerable mstsc.exe, but via msrdcw.exe! The new RDP Client adresses a lot security issues, that the old client has: What’s new in the Windows Desktop client | Microsoft Docs.

Device security

Now that we know that RDP is vulnerable (if not, start reading this article from the beginning, please), a look at the build-in security is interesting. The first (and easiest look) is in the control panel under device security:

Hmmm – what the… :

Why that?!?!? In comparison a normal laptop (no virtualized Azure machine):

What does that mean “Standard hardware security not supported“? This is explained on this Microsoft site: Device protection in Windows Security (microsoft.com)

Microsoft can you please enable these features for Windows 365? You are the manufacturer, so please please do this!

The next question is of cause: What is missing?. First a look at TPM:

A really good explanation why TPM is important can be found here: What is TPM: Why are Trusted Platform Modules important Windows 11 – Simturax. The fact I don’t like most about the lack of TPM is the fact that the device cannot be Bitlocker encrypted:

(the policies mentioned above are mandatory in my environment..)

Windows 365 is a cloud PC, one of the greatest goals of Bitlocker is to prevent attacking a stolen disk – that is impossible with a CloudPC. That is right, but the safety-feeling with Bitlocker is better.

Secure Boot is important to prevent malicious attacks to the boot sequence, such as changing the boot loader with malicious code. That may be an important feature or may be not – this depends on if Microsoft did something special to protect VMs in Azure. For a better safety-feeling it would be great to have secure boot enabled.

DEP is an abbreviation for Data execution prevention. Learn here why this is important: Data execution prevention (DEP) in Windows 10 – Infosec Resources (infosecinstitute.com). A very simplified explanation: DEP protects your memory. DEP is enabled at a minimum in Windows 365, you may think about increasing it with an own GPO (in Windows 365 Enterprise) or Intune Policy:

Very good is the hint Your computer’s processor supports hardware-based DEP.

And what about UEFI MAT? It stands for Unified Extensible Firmware Interface Memory Memory Attributes Table. It protects a Windows from bad drivers.

So all of these together build a strong team. If you want to read more about that, have a look at How to turn on Memory Integrity and Core Isolation in Windows 10 – Scott Hanselman’s Blog.

I’ve left out the feature Core isolation that is available in the CloudPC. I don’t try to explain it here, there are already good articles with great explanations, for example: What Are “Core Isolation” and “Memory Integrity” in Windows 10? (howtogeek.com)

You must draw your own conclusions from that. I personally wish that Microsoft is going to add these security features to Windows 365.

Built-in security

Some finalizing thoughts: All this may now sound as if I would be very unhappy with Windows 365 and its security features. I am not. And I tell you why: Windows 365 will be able to run Windows 11 (I already had the insider beta running on my Business CloudPC). What does that mean? That means that there is some magic happening! Either Microsoft has something hardcoded like that:

if (OS == "Windows 11")
{
  SkipSecurityChecksForInstall()
}
else 
{
  PerformSecurityChecksForInstall()
}
Code language: C++ (cpp)

I don’t believe there is source code like that. What I believe much more: Microsoft has a lot of security features implemented on their hosts inside Azure. The inheritance to the guest VMs may as of today not be so ideal. But that seems to be the case. Windows 11 requires security features like TPM 2.0 (Windows 11 enables security by design from the chip to the cloud – Microsoft Security Blog). If there would be no TPM, the install would not be possible. Furthermore, Windows 11 was now announced for Windows 365 Enterprise and Business. That must mean that there is a lot of security under the hood that may be not correctly reflected to the client OS running it.

I hope so much, that Microsoft is going to change that and reflect much better what is built-in in Windows 365. At the moment it looks for me like Microsoft has done much more that they let the user know to secure the CloudPC.

Recommendations to secure Windows 365

Now that we had a look at the build-in security, the next step is to understand how to improve the security for your CloudPCs. The actions I show you here, need to be done in any case. No matter if there are TPM, DEP, UEFI or other chips. There is one other very important factor: the internet. The internet is evil. Hackers, Scriptkiddies, and all the malicious people and stuff. They perform random or targeted attacks each second. Windows 365 is a big target because it is delivered over the internet. That means, every CloudPC needs special security that fits into the customers strategy. Here is what you should do:

Require MFA for connection establishment
Require MFA authentication in shorter intervals than other services (e.g. every 2 hours)
Create conditional access policies that restrict access possibilities to certain clients, locations (IP fencing) or conditions
Disable redirections by settings appropriate MAM policies or registry keys: Remote Desktop – compare the client apps redirections | Microsoft Docs
Have a close look at AVD best practices and see for yourself which ones you can implement – not all but for example these like “install current patches”: Azure Virtual Desktop security best practices – Azure | Microsoft Docs
For Windows 365 Enterprise, establish other security features that you use in your on-prem AD (e.g. connection only via VPN, not directly via internet)

At the end of this article, I’d like to show you what a conditional access policy may look like: