Virtual Machine maintenance

Virtual Machine maintenance

Introduction

Workspaces on myDRE typically consist of one or more Virtual Machines (VMs). VMs on myDRE can have two different operating systems (CentOS and Windows Server 2019; Ubuntu coming soon). Moreover, a plethora of software can be installed on VMs. Therefore, sometimes the question arises how much maintenance on the VMs needs to be performed by the local support team (ST) or by anDREa.

We have listed some of the more frequently asked questions regarding VM maintenance below:

Q: How are VMs monitored regarding security vulnerabilities?

A: Microsoft Defender for Servers is used to monitor the VMs for vulnerabilities with the Azure-provided vulnerability assessment solution (Qualys)

At the moment, our monitoring team is monitoring and sending reports to Azure Log Analytics workspaces. anDREa is working on an improved audit feature after which the tenant can monitor these vulnerability reports themselves.

Q: Are VMs automatically patched with security updates?

A: Windows VMs automatically fetch security updates. 

In a workspace, Windows VMs (either in base form or template) are domain joined to the mydre.org Azure Active Directory Domain Services (AADDS) domain. This domain also hosts a Windows Server Update Service (WSUS) instance that fetches and makes the updates and patches available. It is however important that the VMs are periodically started to be able to fetch and apply the updates. When the VM is started, updates are fetched from the WSUS and users are prompted to update.

At the moment, anDREa does not support automated patching for CentOS VMs. However, these VMs are airgapped and only accessible via a Windows stepping stone or the optional Azure Bastion feature, which makes the probability of a bad actor reaching the VM very low. anDREa has recently rolled out a proxy, which technically makes it possible to support automated patching for Linux VMs. anDREa will look further into this once Ubuntu is rolled out.

Q: Are there set time windows for patching VMs?

A: For VM patching there is no set time window. As described above, updates are fetched from the WSUS upon starting the VM, prompting the user to update.

If needed, anDREa can provide a list of which VMs did not update. Soon tenants will be able to do this themselves.

Q: How are software updates of applications handled within a VM?

A: anDREa is not involved in performing software updates, this activity is the responsibility of those who installed/maintain the applications.

Applications can be installed and/or updated in any of the following ways:
  1. Upload the application (update) to the Workspace and install it (can be done by Workspace Accountable, Privileged Member or local ST member when invited to the workspace).
  2. Install/update the application via the software share**.
  3. Install/update the application via either opening up ports (IP-whitelisting) or domain whitelisting.
** An organization can choose to employ a shared read-only file share which is often called the software share. There, the local support team member can make installation files of software available. Updating the installation files with the newest version will make it available for the whole organization. In addition, some organizations decided to create a software store user interface on the software share using Chocolatey.

    • Related Articles

    • A.14 System acquisition, development and maintenance

      Version: 3.0 Valid until: 2024-04-10 Classification: Low Version Management Version Author(s) Change(s) Date approved 1.0 Stefan van Aalst Edward Robinson Sarang Kulkarni Johanna Hakonen Initiation document 2022-07-07 1.1 Edward Robinson Johanna ...
    • Bastion Architecture

      Introduction Azure Bastion is a service that allows you to connect to a virtual machine using your browser. Bastion provides secure RDP and SSH connectivity to all of the virtual machines in your workspace without exposing RDP or SSH ports to the ...
    • anDREa / myDRE standard services

      Introduction This is an overview of the standard services that can be expected.  Functionalities can be added or changed as part of the ongoing development of myDRE. Local Support Team Support Team Onboarding Training of local Support Team Support ...
    • Who/what is License Administrator / licenseadmin@mydre.org?

      From time to time it is important that the VMs are started to fetch and install updates, or add functionality provided by anDREa. The anDREa development team uses an account called License Administrator (with username licenseadmin@mydre.org – this is ...
    • Using Azure Security Score

      First version: 2023-01-27 Last updated: 2024-03-21 Last update(s): Some more detailed explanations. Will be adding more recommendations over time. The Azure Security Score is a valuable tool to identify, understand and improve the security posture ...