Skip to content

Latest commit

 

History

History
415 lines (273 loc) · 11.6 KB

README.md

File metadata and controls

415 lines (273 loc) · 11.6 KB
Raw

Azure Zero Trust Imaging

This Azure imaging solution creates images using a zero trust process and resources. While other options exist in Azure, its either a manual process or it doesn't adhere to zero trust. For instance, Azure Image Builder (AIB) is a great imaging service but deploys a storage account that cannot be configured with a private endpoint.

graph TD;

    A[Download Software Prerequisites] -->B(Upload Scripts and Installers to Storage Account)-->C(Review Azure Resource Requirements) -->D(Clone Repo) --> E(Create TemplateSpec)--> F(Ready for Zero Trust Imaging)
Loading

Prequisites

Azure Resource Provider Feature for Encryption At Host

To adhere to zero trust principles, the virtual machine disks deployed in this solution must be encrypted. The encryption at host feature enables disk encryption on virtual machine temp and cache disks. To use this feature, a resource provider feature must enabled on your Azure subscription. Use the following PowerShell script to enable the feature:

Register-AzProviderFeature -FeatureName "EncryptionAtHost" -ProviderNamespace "Microsoft.Compute"

Permissions

Ensure the principal deploying the solution has "Owner" and "Key Vault Administrator" roles assigned on the target Azure subscription. This solution deploys role assignments at various scopes and a key vault with a key and secrets to enhance security. A custom role may be used to reduce the scope of permisions required if your organization wants to use something other than the built in roles.

If granular permissions are required the following built-in roles may be assigned to the account running the imaging solution:

Example: image

Creating a custom role

Software

Ensure the following software is installed on your client workstation:

Artifacts

Upload the following scripts and files to your storage account container:

You can download ArcGIS Pro from My Esri or your ArcGIS Online organization. Once the application is downloaded, if your windows OS image requires ArcGIS Pro you will need to create a ZIP file that contains all of the installation bits including the Windows Runtime.

Example: Alt text

Software Minimum requirement
Microsoft .NET Microsoft .NET Desktop Runtime 6.0.5 or a later patch release (6.0.6 and so on), using a Windows x64 installer, is required. The presence of Microsoft .NET Desktop Runtime 7 or later is inconsequential.

Example Custom Installers

Alt text

Existing Azure Resources

The following resources must exist in your Azure environment before deployment:

  • Virtual Network
  • Storage Account
    • Private Endpoint
    • Private DNS Zone
    • Blob container with executables, scripts, etc. that are required for the imaging deployment

Disk Encryption Set Requirements

You must enable the feature for your subscription before you use the EncryptionAtHost property for your VM/VMSS. Use the following steps to enable the feature for your subscription.

Execute the following command to register the feature for your subscription

Register-AzProviderFeature -FeatureName "EncryptionAtHost" -ProviderNamespace "Microsoft.Compute"

Get-AzProviderFeature -FeatureName "EncryptionAtHost" -ProviderNamespace "Microsoft.Compute"

Deploy from the Azure Portal

  1. Deploy Zero Trust Imaging into AzureCloud or AzureUsGovernment from the Azure Portal:

    Azure Commercial Azure Government
    Deploy to Azure Deploy to Azure Gov

Creating Template Spec for AirGapped Clouds

Example

New-AzTemplateSpec `
    -Name 'ZeroTrustImaging' `
    -ResourceGroupName rg-image-usgovvirginia-01 `
    -Version '1.0' `
    -Location usgovvirginia `
    -DisplayName "Zero Trust Image Template" `
    -TemplateFile '.\solution.json' `
    -UIFormDefinitionFile '.\uiDefinition.json'  `
    -Force

Parameters

-AdminUsername

Specifies the local administrator user name of the virtual machine that will be captured.

Type: String

-ContainerName

Specifies the container name where files, and scripts will be uploaded.

Type: String

-GalleryName

Specifies the existing Azure Image Gallery where the image will be created.

Type: String

-ImageName

Specifies the name of the image that will created.

Type: String

-ImageOffer

Specifies the name of the image offer of the image that will be created.

Type: String

-ImagePublisher

Specifies the name of the image publisher of the image that will be created.

Type: String

-ImageSku

Specifies the name of the image SKU of the image that will be created.

Type: String

-ImageVersion

Specifies the name of the image version of the image that will be created.

Type: String

-InstallAccess

Specifies if Access will be installed on the image created.

Type: Boolean

-InstallExcel

Specifies if Excel will be installed on the image created.

Type: Boolean

-InstallFsLogix

Specifies if FsLogix will be installed on the image created.

Type: Boolean

-InstallOneDrive

Specifies if OneDrive For Business will be installed on the image created.

Type: Boolean

-InstallOneNote

Specifies if OneNote will be installed on the image created.

Type: Boolean

-InstallPowerPoint

Specifies if PowerPoint will be installed on the image created.

Type: Boolean

-InstallPublisher

Specifies if Publisher will be installed on the image created.

Type: Boolean

-InstallTeams

Specifies if Teams will be installed on the image created.

Type: Boolean

-InstallVirtualDesktopOptimizationTool

Specifies if Virtual Desktop Optimization Tool (VDOT) will be installed on the image created.

Type: Boolean

-InstallVisio

Specifies if Visio will be installed on the image created.

Type: Boolean

-InstallWord

Specifies if Word will be installed on the image created.

Type: Boolean

-Location

Specifies a location for the resources of the solution to be deployed.

Type: String

-MiName

Specifies the name of an existing managed identity to be used during deployment of the solution.

Type: String

-OSVersion

Specifies the OS Version of the image to be captured.

Type: String

-ResourceGroupName

Specifies the name of the resource group to create resources.

Type: String

-SecurityType

Specifies the security type of the image to be captured.

Type: String

-StorageAccountName

Specifies the name of the storage account where assets will be downloaded from and used during the image process.

Type: String

-StorageEndpoint

Specifies the storage endpoint of the target storage account.

Type: String

-SubnetName

Specifies the subnet of the virtual network to be used during the image process.

Type: String

-TenantType

Specifies the tenant type used in the target environment.

Type: String
AllowedValues: 'Commercial', 'DepartmentOfDefense','GovernmentCommunityCloud','GovernmentCommunityCloudHigh'

-UserAssignedIdentityObjectId

Specifies the object ID of the managed identity used during deployment.

Type: String

-VirtualNetworkName

Specifies the virtual network name of the vNet used during the image process.

Type: String

-VmName

Specifies the name of the virtual machine to be captuired.

Type: String

-VmSize

Specifies the size of the the virtual machine to be captuired.

Type: String

Adding Applications

  • Add additional applications by adding addtional blocks of installers in module image.bicep
  • Any blob called will have to be uploaded to the storage account and container that are defined in the parameter set
  • Using the enabled argument will allow the installer to be modular and flexible during image creation
var installers = [
    {
        name: 'myapp1'
        blobName: 'software1.exe'
        arguments: '/S'
        enabled: true
    }
    {
        name: 'myapp2'
        blobName: 'software2.exe'
        arguments: '/S'
        enabled: false
    }
]

View Run Command Status

The applications are installed using the Run Command extension on the Azure virtual machine. To the view and troubleshoot the status of a Run Command use the example below:

PS C:\git\ztaimage> $x = Get-AzVMRunCommand -ResourceGroupName rg-image -VMName vm-image -RunCommandName office -Expand InstanceView
PS C:\git\ztaimage> $x.InstanceView


ExecutionState   : Running
ExecutionMessage :
ExitCode         : 0
Output           :
Error            :
StartTime        : 8/2/2023 2:14:27 PM
EndTime          :
Statuses         :