Just-in-Time (JIT) Access is one of the features of
Azure Security Center. Azure Security Center by Microsoft
is a solution that gives unified security management across hybrid cloud workloads. It offers threat protection for data centers within both cloud workloads and on-premises. The platform also works with hybrid clouds that aren’t a part of
Azure. The Azure Security Center is designed to
resolve important issues when you start a cloud migration journey for your organization. The cloud customer has to take more responsibilities when upgrading to Infrastructure-as-a-Service (IaaS) as compared to cloud solutions like Platform-as-a-Service (PaaS) and
Software-as-a-Service (SaaS), where the cloud service providers take care of most tasks related to securing the network and the services. Let’s get more in-depth into Azure Security Center (ASC): What is Azure Security Center? When moving to the IaaS solution in the cloud, securing your environment means securing your network ecosystem and the underlying services. You will do this solely just as the cloud provider takes responsibility for securing processes within the PaaS and SaaS solutions. Azure Security Center offers a unified and dedicated portal for securing and managing your workloads to cope with the challenges of protecting your hybrid and cloud workloads. The platform provides your organization with the following:
With Azure Security Center, you can easily control the security of an ever-growing and fast-changing number of cloud services under constant threat by a growing number of sophisticated malware activities. Keeping your systems safe is a joint effort between your cloud provider, Microsoft Azure, and you, the customer. You have to make sure your workloads are secure as you move to the cloud, and at the same time, when you move to IaaS (Infrastructure as a Service) there is more customer responsibility than there was in PaaS (platform as a service), and SaaS (Software as a Service). Azure Security Center provides you the tools needed to harden your network, secure your services and make sure you’re on top of your security scenarios. Managing your IT systems both On-premises and in the Cloud can be very challenging. Hackers are constantly getting smarter than you on a daily basis, hence, one of the reasons why Microsoft has put together some important security features in Azure Security Center to help in preventing some tempered or unauthorized access to your workloads across hybrid and native cloud environments. This will take us to explore what Just-In-Time (JIT) Access as a feature in Azure Security Center is all about. JIT VM Access InterfaceWhat is Just-In-Time Access? – Just-in-time VM access enables you to lock down your VMs at the network level by blocking inbound traffic to specific ports. It enables you to control the access and reduce the attack surface to your VMs, by allowing access only upon a specific need. It is a way to enforce the principle of least privilege to ensure users and non-human identities are given the minimum level of privileges. JIT access can also ensure that privileged activities are conducted in line with an organization’s Identity Access Management (IAM) policies along with its workflows as it is very essential that any JIT access strategy enables an organization to maintain a full audit trail of privileged activities. How does it work? When a user made a request, based on Azure RBAC, Security Center will decide whether to grant access. If a request is approved, Security Center automatically configures the NSGs to allow inbound traffic to these ports, for the requested amount of time, after which it restores the NSGs to their previous states. Ways of Enabling JIT on your Azure Virtual Machine (VM)
You can request JIT access for additional ports not listed among the default ports by clicking on the Add tab and providing your desired port number as shown in the screenshot below Adding a custom port
Enable JIT on your VMs using PowerShellThe JIT VM access can be enabled using PowerShell, to do this use the official Azure Security Center PowerShell cmdlet Set-AzJitNetworkAccessPolicy. To have first-hand knowledge of what PowerShell cmdlet is about, see my previous post on Provisioning Azure Resources using Azure Az PowerShell Cmdlet from Cloud Shell. Example – Enable just-in-time VM access on a specific VM with the following rules:
The following PowerShell commands create this JIT configuration:
2. Insert the VM just-in-time VM access rules into an array:
3. Configure the just-in-time VM access rules on the selected VM:
Use the –Name parameter to specify a VM. For example, to establish the JIT configuration for two different VMs, let’s say VMDEMO1 and VMDEMO2, use:
Establishing connection to a JIT-enabled VM When JIT access is enabled on a VM, you have to request access to connect to it. You can request access in any of the supported ways, regardless of how you enabled JIT. Request access by clicking Connect -> Select RDP connection type if it’s a Windows VM as shown below: Establishing a connection to your JIT-enabled VMClick on As you can see below, The JIT access will be approved within few minutes and the screen will appear as the one below. JIT Access Approved for RDP port 3389Where Does Just-in-Time (JIT) Fit In? When thinking about security challenges posed by malware vulnerabilities, I know from my professional point of view that it’s quite a herculean task, hence, the need to utilize a feature such as JIT access as it will help in:
I will focus on point 2 – reducing the risk associated with users having privileged access. This requirement is currently being adopted, as digital transformation leads to technological changes. We now need to worry about the risk associated with systems, Networks, APIs, and Service Accounts having too much privilege, as well as users. Privilege really is a necessary evil but that doesn’t mean it’s a bad thing. It just means we have to apply controls around its usage. There are two things that JIT access will allow us to control here:
Wrap-Up: Threat actors are actively hunting for accessible Virtual machines (Networks) with open management ports, like RDP or SSH. All of your virtual machines are potential targets for an attack. When hackers have successfully gained access to your VM and have it compromised, they used it as the entry point to attack further resources within your environment. Hence, why it is important that you utilize some of the great features of the Azure Security Center! If you haven’t getting started with Azure, sign up today to enjoy the awesome benefits of JIT Access for your resources! Which Azure service allows you to use just in time JIT VM access?You can use Microsoft Defender for Cloud's just-in-time (JIT) access to protect your Azure virtual machines (VMs) from unauthorized network access.
What is just in time JIT VM access?The Just-in-Time access locks down and limits the ports of Azure virtual machines in order to overcome malicious attacks on the virtual machine, therefore only providing access to a port for a limited amount of time. Basically, you block all inbound traffic at the network level.
Which Azure service supports just in time JIT access control enabling users to gain access to the server for only a specified period of time?Azure Kubernetes Service (AKS) now supports Just-In-Time (JIT) access for tasks that require elevated permissions.
Should Azure bastion and JIT VM access be used together?Please note that Azure Bastion and Just-In-Time (JIT) VM access cannot be used together. In other words, if you enable Azure Bastion in your virtual network (VNET) with an existing JIT VM enabled, the Bastion Host won't connect to the target machine.
|