Deploy a healthy development Windows virtual machine

Recently a developer asked me about what would be considered a healthy virtual machine for development as he wanted to deploy a virtual machine on Microsoft Azure after his personal laptop was slow and didn’t work stably.

In this article, let’s see how a healthy Windows virtual machine look like and deploy one for your personal work.

The term “healthy” would mean compliance. But to remove compliance pressure I’d like to call healthy. Depending on your corporate policy but to me a healthy virtual machine for development would have the following things initially:

  • It is deployed in a controlled virtual network and subnet.
  • It should not have any Internet exposure. Azure Bastion should be used.
  • It should have Microsoft Antimalware solution installed.
  • It should have Visual Studio Code installed.
  • It should integrate AAD for seamless sign-in.
  • It should send VM log to a Log Analytics workspace. If you have SIEM already and want to send log to Event Hub. See this example.
  • Its disk including data disk should be encrypted using Microsoft Disk encryption capability. See explain on disk encryption extension and deep-dive troubleshooting here.

You must be probably asking about an image that has security hardneing configuration. This article is not going to mention about image. There will be another article covering image builder.

To deploy a Windows virtual machine with the above criteria, use the template from here https://github.com/azsec/scaf-azure-arm-templates/tree/master/VirtualMachine/healthy-windows-vm

You are very welcomed to give any feedback on how a healthy Windows virtual machine looks like (from cloud level perspective – skip pre-built image).

This entry was posted in Security Automation and tagged , . Bookmark the permalink.

Leave a Reply