Introduction
Workspaces on myDRE typically consist of one or more Virtual Machines (VMs). VMs on myDRE can have two different operating systems (CentOS and Windows Server 2019; Ubuntu coming soon). Moreover, a plethora of software can be installed on VMs. Therefore, sometimes the question arises how much maintenance on the VMs needs to be performed by the local support team (ST) or by anDREa.
We have listed some of the more frequently asked questions regarding VM maintenance below:
Q: How are VMs monitored regarding security vulnerabilities?
At the moment, our monitoring team is monitoring and sending reports to
Azure Log Analytics workspaces. anDREa is working on an improved audit feature after which the tenant can monitor these vulnerability reports themselves.
Q: Are VMs automatically patched with security updates?
A: Windows VMs automatically fetch security updates.
In a workspace, Windows VMs (either in base form or template) are domain joined to the mydre.org
Azure Active Directory Domain Services (AADDS) domain. This domain also hosts a
Windows Server Update Service (WSUS) instance that fetches and makes the updates and patches available. It is however important that the VMs are periodically started to be able to fetch and apply the updates. When the VM is started, updates are fetched from the WSUS and users are prompted to update.
At the moment, anDREa does not support automated patching for CentOS VMs. However, these VMs are airgapped and only accessible via a Windows stepping stone or the optional
Azure Bastion feature, which makes the probability of a bad actor reaching the VM very low. anDREa has recently rolled out a proxy, which technically makes it possible to support automated patching for Linux VMs. anDREa will look further into this once Ubuntu is rolled out.
Q: Are there set time windows for patching VMs?
A: For VM patching there is no set time window. As described above, updates are fetched from the WSUS upon starting the VM, prompting the user to update.
If needed, anDREa can provide a list of which VMs did not update. Soon tenants will be able to do this themselves.
Q: How are software updates of applications handled within a VM?
A: anDREa is not involved in performing software updates, this activity is the responsibility of those who installed/maintain the applications.
Applications can be installed and/or updated in any of the following ways:
- Upload the application (update) to the Workspace and install it (can be done by Workspace Accountable, Privileged Member or local ST member when invited to the workspace).
- Install/update the application via the software share**.
- Install/update the application via either opening up ports (IP-whitelisting) or domain whitelisting.
** An organization can choose to employ a shared read-only file share which is often called the software share. There, the local support team member can make installation files of software available. Updating the installation files with the newest version will make it available for the whole organization. In addition, some organizations decided to create a software store user interface on the software share using
Chocolatey.