Secure Microsoft Azure VMs Using Just-In-Time Access
Microsoft has released a public beta of Just-In-Time (JIT) access for Azure VMs. In this Ask the Admin, I’ll look at how the solution works and why you should use it when it reaches general availability.
Say Goodbye to Traditional PC Lifecycle Management
Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.
If you’ve ever provisioned a virtual machine or another resource in Microsoft Azure, you’ll know that by default, the Network Security Group (NSG) associated with the resource allows access from any IP address if the resource was assigned a public IP address. The default configuration is convenient because it means you can connect to the resource from any device with an Internet connection. But on the downside, so can everybody else. Or at least they can try.
It’s worth remembering at this point that even if you believe your Azure resources aren’t of value to anyone else, attacks against cloud resources are automated. You don’t need to be a big multinational or government agency because attacks are arbitrary. In this Microsoft blog post on the subject, the author notes that there were a million security events in one week on a virtual machine not protected by JIT.
What Is Just-In-Time Access?
Just-Enough Administration (JEA) and Just-In-Time (JIT) access are both important tools that can improve security. I’ve talked about JEA before on Petri in my two-part series on PowerShell Just Enough Administration. As the name suggests, JEA provides users with access to servers with only the privileges required to perform a specific set of tasks. The JEA Toolkit for PowerShell helps organizations deploy PowerShell restricted remote endpoints with JEA. For more information on PowerShell JEA, take a look at the following articles on Petri:
PowerShell 5.0 Just Enough Administration (JEA) Part 1: Understanding JEA and Configuring the Demo Toolkit
PowerShell 5.0 Just Enough Administration (JEA) Part 2: Creating Toolkits and Understanding Logs
JIT access is also fairly self-explanatory. Instead of granting permanent access to a resource, JIT access involves giving access to resources just before it is needed and for a limited period. Azure JIT access works by requiring users to request access to VMs through the Azure management portal or Azure PowerShell. This access is managed by using the Role-Based Access Control (RBAC) feature already built-in to Azure. After access is requested, Azure modifies the NSG associated with the resource to allow access and then blocks the opened ports when the requested access time has elapsed.
In practice, what happens is that when JIT is enabled for a VM, it adds inbound deny rules to the associated NSG to block access to RDP or other remote management protocol. When a user requests access, JIT adds an allow rule with a lower priority to the NSG, allowing access for a given time from a defined IP address or range of addresses.
JIT access is part of the Azure Security Center and requires a subscription on the Standard tier. It also requires that the VM was provisioned using Azure Resource Manager (ARM).
Requesting Access to a JIT Access Enabled Virtual Machine
Once JIT access is set up for a VM, users can access the VM by selecting it in the Azure management portal and clicking Request access. The user can then specify which ports to open and for how long. Or accept the default values configured in the JIT access policy. Alternatively, you can use the Invoke-ASCJITAccess PowerShell cmdlet as shown below:
Invoke-ASCJITAccess -ResourceGroupName $ResourceGroupName -VM $VMName -Port 3389 -Minutes $minutes -AddressPrefix $ip
You can also audit JIT access to VMs using log search.
What If I Don’t Have the Security Center Standard Tier?
If you don’t want to pay for the Security Center Standard tier, then you should manually configure NSGs to allow connections to VMs for remote management from a restricted set of IP addresses. But remember, this method isn’t as secure as JIT because IP addresses can be spoofed and threats can come from inside your corporate network. So, it’s always best to open connections for a limited time, even from trusted IP addresses. If you want to configure NSGs manually, read my article Configuring Network Security Groups in Microsoft Azure on Petri.
JIT access is a welcome addition to Azure, is easy to set up and use, and should be mandatory for all VMs that you deploy in the cloud. For detailed instructions on how to enable JIT access in Azure, see Aidan Finn’s article Azure Just In Time Virtual Machine Access on Petri.