Just-In Time VM Access
This specific feature, that can be found and configured within the Azure Security Center, is part of he Standard Pricing tier for that. In a nutshell, this feature enables lock down of Azure VM with just-in-time (JIT) access. This is a simple but effective way to reduce the attack surface on Your VM’s.
This feature handles so called “Brute Force” attacks, directed at management port of the VM’s. One way to block these attacks is reduce the exposure of the VM’s. Since management ports are not needed all the time, we can create a specific configuration that will prevent attacks on them, but at the same time enable access to them, in timely manner.
In this case, these are (by default):
- SSH (Port 22) for Linux
- RDP (Port 3389) and WinRM (Port 5985, 5986) for Windows VM’s
Once we enable this feature, trough Security Center, two things will happen:
- Specific Network Security Group (NSG) rules will be created, for selected machines – we also select the Ports, Allowed Source IP, Maximum Request Time.
- Each time a users asks for access to those ports, given that appropriate rights are given (RBAC), the request is approved
You can always add custom ports, depending on Your needs. For each port, You need to define Port Number, Protocol Type (All, TCP, UDP), Allowed Source IP (single or block, CIDR format), Maximum Request Time (between 1 – 24 hours, default is 3h)
Updates – March 2020
One of the new features added, is the Justification field – free test style entry field (optional). The information from this field becomes part of the activity log, which means it can be searched (audited).
Another new update, is an governance feature, they also created a clean up tool. Every time the the JIT policy is changed/refreshed, the tool runs and checks the validity of the whole rule set. It compares the policy and the NSG rule, and if it finds mismatch, determines the cause and fixes the issue. It will do rule set cleanup.
This only works with built-in rules. If You use custom policy rules, they will be left intact.