Desktop-as-a-Service (DaaS) has recently gained momentum with Microsoft making Windows Virtual Desktop (WVD) generally available and increasing its investment in this service. WVD basically lets companies host low-cost Windows desktops in the cloud, as an alternative to traditional on-prem VDI desktops. A major use case for DaaS is providing users access to Windows apps, like Office, on any device (including Macs, tablets, etc).
This can help enterprises accelerate their move to the cloud, help them get out of the hardware business and adopt BYOD, potentially reduce costs and leave the hard work of providing access to legacy Windows apps to Microsoft and WVD. One of the ways Microsoft is able to reduce the cost of DaaS is by letting multiple users use the same Windows 10 VM running on Azure, made possible by Windows 10 Enterprise for Virtual Desktops (EVD) that supports multiple user sessions.
However, enterprises should also consider the security implications of going for DaaS and sharing user sessions on a single Windows VM. Here are 3 risks to consider:
- First, as all users share the same OS instance, if one user gets infected via any attack vector on Windows (e.g. malicious attachments, websites, other apps, middleware, plugins, …), the entire OS can get infected and the user data/credentials/apps of all other users on this instance get compromised as well. This could be triggered either by an external attacker or by an insider that leverages known vulnerabilities or any of these attack vectors to elevate privileges, get sensitive data, do harm, etc. This is not science fiction, but rather a relatively simple attack to pull off. The attacker runs on the VM, so he can survey all of the software on that VM, find software that hasn’t been patched properly and leverage the unpatched vulnerabilities. DaaS can help with patching the OS, but if you bring your own Windows image with your own software and your own software patching practices, you can still potentially end up with unpatched Windows VMs.
- Second, as DaaS is normally publicly available on the internet, any attacker can scan and find the DaaS service and try to break in. One way of breaking in would be to authenticate with the service by providing user credentials. If you’re only using passwords with no multi-factor authentication, this becomes a real risk that must be taken into account. Another way would be to find vulnerabilities in the protocol connecting the user into the remote desktop. As the remoting protocols become more and more sophisticated and as they add all kinds of performance optimizations to get a better user experience, they also increase the code base for that protocol and the attack surface. These vulnerabilities are more common than one might expect (e.g. CVE-2019-1181).
- Third, one of the main motivations to adopt DaaS is to make Windows desktops available to users on any device, anywhere, including home/personal/unmanaged devices. These devices have a high likelihood of getting infected. Once they get infected, malware on the device can simply control the remote desktop, leak data out and do any kind of harm, without needing any zero-day vulnerability. For more information about these by-design attacks, read our blog post here.
If you go with DaaS, pay attention to apply the proper authentication, patching and lock down of the Windows desktops so that the probability of the two first attack vectors is reduced. To protect against the third attack, namely malicious personal devices, you must apply a different approach, such as the use of a dedicated locked down device for accessing sensitive VDI workloads or using Hysolate laptops that can ensure sensitive access is completely segregated from your personal access.