Azure Just in time VM Access (JIT) can be used to lock down inbound traffic to your Azure Virtual Machines. This feature allows you to reduce exposure to attacks. Azure will automatically open or close inbound traffic when needed. It means that Azure will limit the amount of time that a port is open. One of the biggest disadvantage with Azure is about security because Microsoft publishes the IP ranges which makes IP addresses quite popular by hackers.
How Does It Work?
Upon a user request, based on Azure RBAC, Security Center will decide whether to grant access. If the request is approved, inbound traffic will be open to these ports, for the requested amount of time. When just in time is enabled, Security Center uses Network Security Group (NSG) rules, which restrict access to management ports so they cannot be targeted by attackers. A network security group (NSG) contains a list of security rules that allow or deny network traffic to resources connected to Azure Virtual Networks.
Security Center just in time VM access currently supports only VMs deployed through Azure Resource Manager.
More information about Azure RBAC: https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-built-in-roles
Enabling Just in time VM Access
In the Azure Portal, select the Security Center icon.
In the central pane you will find an option to Enable Just in time VM Access.
If you have not previously enabled the Security Center you will need to select a Pricing Tier. But you must select the Standard Tier because Free Tier does not include the JIT VM Access.
- Free tier: this is enabled by default on your subscription and provides access to key security recommendations to help protect your infrastructure.
- Standard Tier: extends capabilities of Azure Security Center with the following additional features: VM threat detection, JIT VM access and Network threat detection.
Once upgraded, the Just In Time VM Access section will show you all the virtual machines protected by JIT VM Access. As you just enabled it, there will be no virtual machine protected yet.
To protect virtual machine, just open the JIT blade to get the list of VMs which would need protection. Select the virtual machine and click “Enable JIT”:
Now, configure the ports for which the JIT VM Access will be applicable. There is a list of predefined known management ports such as: SSH, RDP, … You can also add new ports by clicking “Add”.
When configuring a port, you can define for how long access will be granted (default is 3 hours), from which IPs addresses, and with which protocol.
Once activated, the JIT VM Access blade will be refreshed showing the protected VM’s. Now, you will not be able to manage your VM without requesting access. Let’s try to connect through RDP and you will get the following error message:
In order to request access, you must go to Azure Portal, and click “Security Center”. In my case, I want to enable 3389, just click “On”:
Please note that you can request only for the maximum amount of time defined in the policy. Then the Azure Security Center will automatically allow your request.
JIT VM Access with PowerShell
Thanks to PowerShell, you can easily manage Just In Time VM Access (preview) with the Azure-Security-Center module. You will need to have the AzureRM and the new Azure-Security-Center PowerShell Modules installed on your machine. First, you must be logged in with your Azure Account:
Then, install the Azure-Security-Center module using the following command:
You will need to use the Invoke-ASCJITAccess cmdlet. So let’s imagine I want to allow 3389 for the “Win16Containers” VM for only 1 hour. I can run the following command:
If you need some help about this cmdlet, you can use the get-help cmdlet:
To configure a just in time policy on a specific VM, you need to run this command in your PowerShell session: Set-ASCJITAccessPolicy.
Conclusion
Azure Just In Time (preview) is a great and helpful feature that allow or deny access to your servers in Azure. Thanks to Azure JIT (preview), accessing to your servers will be more secure.
See the following article about pricing : https://docs.microsoft.com/en-us/azure/security-center/security-center-pricing
If you need more information, please read the announcement: https://azure.microsoft.com/fr-fr/blog/announcing-the-just-in-time-vm-access-public-preview/
Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.
