Securing Cloud Pcs And Azure Virtual Desktop -

The old network security groups were wide open. Marta redesigned the virtual network. She enabled AVD’s RDP Shortpath for low latency, but wrapped it in Azure Firewall with FQDN-based filtering. More critically, she deployed Network Security Groups (NSGs) at the subnet level that only allowed RDP traffic from the AzureInstanceMetadataService tag—no direct internet access for session hosts. If a Cloud PC was compromised, it couldn’t phone home. It was a silent room with no windows.

Frustrated, the attacker pivoted. They tried to deploy a new session host directly via the Azure API. But Marta had locked down the with Azure Privileged Identity Management (PIM) . You couldn’t spin up a host without a time-bound, approved, audited elevation request. securing cloud pcs and azure virtual desktop

The CISO, a veteran of the firewall era, looked confused. “But our Cloud PCs are secured. We have anti-malware. We have network security groups.” The old network security groups were wide open

The attack had a name now: Midnight Proxy . More critically, she deployed Network Security Groups (NSGs)