>_AYSOLI SECURITY HUB
THREAT AREA

Secure Remote Desktop (VDI)

Virtual desktop infrastructures (VDI) like Azure Virtual Desktop provide a controlled environment but carry the risk of session hijacking.

Your Strategy

Treat the VDI environment as an isolated security zone. Enforce MFA during connection establishment and use short-lived sessions to prevent attacker persistence.

Best Practices

  • MFA: No access to VDI gateways without strong authentication.
  • Isolation: Prevent clipboard and drive redirection from private endpoints into the VDI.
  • Patching: Keep base images of virtual desktops updated daily.

STRIDE-LM Design Risks

SpoofingS-WKP-01

VDI Session Hijacking

Takeover of an active virtual desktop session.

TamperingT-01

Data Tampering

Unauthorized modification of shared data or configurations.

RepudiationR-01

Audit Log Manipulation

Deleting or altering traces of an action.

Information DisclosureI-01

Sensitive Data Exposure

Unintentional disclosure of internal information to externals.

Denial of ServiceD-01

Resource Exhaustion

Overloading systems through massive requests or resource hogging.

Elevation of PrivilegeE-01

Privilege Escalation

Gaining privileges beyond what is intended.

Lateral MovementL-01

Lateral Movement

Accessing further internal systems after initial login.

Monitoring GapsM-01

Insufficient Logging

Missing or inadequate recording of security-relevant events.

MITRE ATT&CK® Techniques

Reconnaissance
T1592

Gather Victim Digital Network Information

ATT&CK

Collecting information about the target infrastructure.

Mitigated by
Data Anonymization (Differential Privacy)Extended ProtectionHigh
NIST: PR.PT-3
Initial Access
T1133

External Remote Services

ATT&CK

Access via VPNs or cloud management interfaces.

Mitigated by
Conditional Access PoliciesBaseline ProtectionMedium
CIS: 6.1NIST: PR.AC-7OWASP: API2
T1078

Valid Accounts

ATT&CK

Exploiting existing credentials for access.

Mitigated by
Conditional Access PoliciesBaseline ProtectionMedium
CIS: 6.1NIST: PR.AC-7OWASP: API2
FIDO2 EnforcementBaseline ProtectionMedium
CIS: 6.5NIST: PR.AC-7OWASP: A07:2021
Least Privilege PrincipleBaseline ProtectionMedium
CIS: 6.2NIST: PR.AC-6OWASP: A01:2021
Privileged Identity Management (PIM)Baseline ProtectionMedium
CIS: 6.2NIST: PR.AC-1OWASP: A01:2021
MFA for Windows Sign-inExtended ProtectionMedium
CIS: 6.5NIST: PR.AC-7
Regular Access ReviewsBaseline ProtectionLow
CIS: 6.6NIST: PR.AC-1OWASP: A01:2021
Persistence
T1098

Account Manipulation

ATT&CK

Changing permissions or creating new accounts.

Mitigated by
Privileged Identity Management (PIM)Baseline ProtectionMedium
CIS: 6.2NIST: PR.AC-1OWASP: A01:2021
Regular Access ReviewsBaseline ProtectionLow
CIS: 6.6NIST: PR.AC-1OWASP: A01:2021
Credential Access
T1557

Adversary-in-the-Middle

ATT&CK

Intercepting communication between two parties.

Mitigated by
Privileged Access Workstation (PAW)Extended ProtectionHigh
CIS: 6.4NIST: PR.AC-3
T1539

Steal Web Session Cookie

ATT&CK

Capturing active session tokens to bypass authentication.

Mitigated by
Conditional Access PoliciesBaseline ProtectionMedium
CIS: 6.1NIST: PR.AC-7OWASP: API2
FIDO2 EnforcementBaseline ProtectionMedium
CIS: 6.5NIST: PR.AC-7OWASP: A07:2021
T1110

Brute Force

ATT&CK

Attempts to gain access to accounts or API keys through systematic trial and error.

Mitigated by
FIDO2 EnforcementBaseline ProtectionMedium
CIS: 6.5NIST: PR.AC-7OWASP: A07:2021
T1003

OS Credential Dumping

ATT&CK

Extracting credentials from the operating system.

Mitigated by
MFA for Windows Sign-inExtended ProtectionMedium
CIS: 6.5NIST: PR.AC-7
Privileged Access Workstation (PAW)Extended ProtectionHigh
CIS: 6.4NIST: PR.AC-3
Lateral Movement
T1021

Remote Services

ATT&CK

Use of legitimate remote services for lateral movement within the network.

Mitigated by
Regular Access ReviewsBaseline ProtectionLow
CIS: 6.6NIST: PR.AC-1OWASP: A01:2021
Collection
T1213

Data from Information Repositories

ATT&CK

Accessing data from knowledge bases (SharePoint, Confluence).

Mitigated by
Least Privilege PrincipleBaseline ProtectionMedium
CIS: 6.2NIST: PR.AC-6OWASP: A01:2021

Is your scenario more complex?

AYSOLI experts support you in implementing your specific security requirements.

Free consultation
Secure Remote Desktop (VDI) | IT Security Checklist for SMEs · AYSOLI Security Hub