Azure Security Center (March Updates)

Azure security center
Azure security center

Just-In Time VM Access

This feature, that is found and configured within the Azure Security Center, is part of he Standard Pricing tier. In a nutshell, this feature enables lock down of Azure VM with just-in-time (JIT) access. This is a simple but effective way to reduce the attack surface on Your VM’s.

Attack vector

This feature handles so called “Brute Force” attacks, directed at management port of the VM’s. One way to block these attacks is reduce the exposure of the VM’s. Since management ports are not used all the time, we can create a specific configuration that will prevent attacks. At the same we will enable access to them, in timely manner.

Advanced cloud defense blade

In this case, these are (by default):

  • SSH (Port 22) for Linux
  • RDP (Port 3389) and WinRM (Port 5985, 5986) for Windows VM’s
Rules configuration options

Once we enable this feature, trough Security Center, two things will happen:

  1. Specific Network Security Group (NSG) rules are created, for selected machines and ports, Allowed Source IP, Maximum Request Time.
  2. Each time a users asks for access to those ports, given that appropriate rights are given (RBAC), the request is approved
Rule creation process

You can always add custom ports, depending on Your needs. For each port, You need to define Port Number, Protocol Type (All, TCP, UDP), Allowed Source IP (single or block, CIDR format), Maximum Request Time (between 1 – 24 hours, default is 3h)

Updates – March 2020

One of the new features added, is the Justification field – free test style entry field (optional). This information is in the logs, for audit purposes.

Another new update, is an governance feature, they also created a clean up tool. Every time the the JIT policy is changed/refreshed, the tool runs and checks the validity of the whole rule set. It compares the policy and the NSG rule, and if it finds mismatch, determines the cause and fixes the issue. It will do rule set cleanup.

This only works with built-in rules.

NSG inbout rules
About Dimitar Grozdanov 36 Articles
Engineer. 25+ years “in the field”. Cloud Solution Architect. Trainer, Consultant. Co-founder/Supporter of Tech Communities. Speaker. Blogger. Parent. Passionate about craft beer tasting and hanging out with family and friends.

Be the first to comment

Leave a Reply

Your email address will not be published.