Configuring Just In Time VM Access for Azure Virtual Machines using Azure Security Center
Attackers are always on the lookout to gain access to virtual machines that are exposed to the outside world. They run brute force attacks that target commonly used management ports to gain access to the virtual machines. Once they do they can take control of the virtual machines and do what every they like to do.
Best thing to do in this scenario is not to have management ports open on your virtual machines. At least don’t have them open all the time. You don’t need to have a port open for 24 hours, where that port is used to perform an action that takes 15 minutes. For virtual machines in Azure you can do this by having Network Security Groups (NSGs) with rules configured to block inbound attempts. But now with Azure Security Center and Just in Time VM Access you don’t have to add or remove these rules manually. Let’s look at how to do this.
Configuring Just In Time Access for the Virtual Machine
To use Just in Time VM Access in the Azure Security Center, you need to be in the Standard Pricing tire of Azure Security Center. In the Free tier JIT VM Access is not available.
Navigate to your Security Center dashboard. The link to the Azure Security Center should be available in the left navigation bar of the Azure Portal. In the Security Center blade, on the left menu options, you should see the Just In Time VM Access link under the Advanced Cloud Defense section.
In the Just In Time VM Access blade, under the virtual machines section you can see 3 sections where it shows all the VMs that are Configured with JIT VM access, and the VMs that are Recommended to have JIT VM access enabled and VM that have No Recommendations. I have 3 VMs created on my Azure subscription and I will select the downloadVm and configure JIT VM access to it.
Click on the VM you want to enable JIT Access and the button just above the VM list that has the label Enable JIT on 1 VMs will be enabled. Click on it to enable the JIT Access for that selected VM(s).
It will enable JIT Access and show recommendations for most commonly used ports in Azure VMs. You may already have them open or not.
In the screenshot, you can see the Ports 22 (SSH), 3389 (RDP), 5985,5986 (WS-Management & Powershell Remoting) ports ae given as recommendations.
You can click the Add Button to add a new Port Configuration to the JIT Access list. Here I have selected the configuration for port 3389 for RDP,
In the Add Port Configuration blade you can set the Port you want to configure. Then the Protocol. You can even set a CIDR Block to allow requests from particular IP Address Range by setting the Allowed Source IPs to CIDE block. The allowed sources can be a Single IP Address, A CIDR Range Notation or a Comma Separated List of IP Addresses. Then you can set the Max Request Time, you can set this as low as 1 Hour to Maximum of 24 Hours. And the you can Click OK and the save the JIT Access Configuration.
And now Security Center will automatically add Inbound Rules to the NSG associated with the VM. Have a look at the image below, this was the NSGs Inbound Rules before setting up Just In Time VM Access.
You can see that I had the RDP port 3389 open. Now look at the image below, this is after Security Center adding the JIT VM access.
Here you can see that the configuration we added for all 4 ports are added as Deny rules with a higher priority. So now, these ports are blocked. And if I try to RDP in to the VM, I am unable to do so.
Requesting Access to the Blocked Ports
Now if you want to use a blocked port, for example if you want to RDP in to the VM you need to Request access. To do this you need to go to the Azure Security Center and go to the Just In Time VM Access section. Here now, you can see that in the Configured VMs section you can see the VM I configured.
To Request access for RDP, select the VM from the list and Click Request Access button. You will be taken to the blade where you can request access to any of the ports you have blocked.
Here you see all the blocked ports. You can toggle on a port you want (in my case its 3389) Then you can set your current IP or a IP Range that will access the VM and set the access time in hours. The Maximum time you can select will be limited to the max time you configured during the JIT Access configuration.
Now, if you check the NSGs Inbound rules, you can see that a new rule is added allowing access to the 3389 port with a higher priority than the Deny rule for the same port.
Now, if you try to login to the VM using RDP, you will be able to login and use the VM, and once the requested time period is expired the NSG Allow Inbound rule added by the JIT Access will automatically be removed and the port will be blocked again.