Upcoming Webinar
Cayosoft Shows How Forest Recovery Tech Addresses Survey Issues
Join this webinar and not only learn about what your peers are doing, but also learn about a new patent-pending modern approach to AD forest recovery from Cayosoft.
New episode!
The Scoop on Loop: The Latest Innovations Directly From Microsoft!
Darrell Webster speaks to Rebecca Keys, a Program Manager from the Microsoft Loop team.
Turn Data Protection into an MRR Growth Engine
Security for your customers, revenue for your MSP practice. Access key insights on how to scale your practice with SkyKick’s new eGuide.
MSP eGuide to Package, Sell and Deliver M365 Security Services
Based on input from our top-performing MSPs, SkyKick prepared the MSP Guide to help you navigate the security landscape.

Secure Microsoft Azure VMs Using Just-In-Time Access

Microsoft Windows Secure Boot

Microsoft has released a public beta of Just-In-Time (JIT) access for Azure VMs. In this Ask the Admin, I’ll look at how the solution works and why you should use it when it reaches general availability.

If you’ve ever provisioned a virtual machine or another resource in Microsoft Azure, you’ll know that by default, the Network Security Group (NSG) associated with the resource allows access from any IP address if the resource was assigned a public IP address. The default configuration is convenient because it means you can connect to the resource from any device with an Internet connection. But on the downside, so can everybody else. Or at least they can try.

It’s worth remembering at this point that even if you believe your Azure resources aren’t of value to anyone else, attacks against cloud resources are automated. You don’t need to be a big multinational or government agency because attacks are arbitrary. In this Microsoft blog post on the subject, the author notes that there were a million security events in one week on a virtual machine not protected by JIT.

What Is Just-In-Time Access?

Just-Enough Administration (JEA) and Just-In-Time (JIT) access are both important tools that can improve security. I’ve talked about JEA before on Petri in my two-part series on PowerShell Just Enough Administration. As the name suggests, JEA provides users with access to servers with only the privileges required to perform a specific set of tasks. The JEA Toolkit for PowerShell helps organizations deploy PowerShell restricted remote endpoints with JEA. For more information on PowerShell JEA, take a look at the following articles on Petri:

PowerShell 5.0 Just Enough Administration (JEA) Part 1: Understanding JEA and Configuring the Demo Toolkit
PowerShell 5.0 Just Enough Administration (JEA) Part 2: Creating Toolkits and Understanding Logs

JIT access is also fairly self-explanatory. Instead of granting permanent access to a resource, JIT access involves giving access to resources just before it is needed and for a limited period. Azure JIT access works by requiring users to request access to VMs through the Azure management portal or Azure PowerShell. This access is managed by using the Role-Based Access Control (RBAC) feature already built-in to Azure. After access is requested, Azure modifies the NSG associated with the resource to allow access and then blocks the opened ports when the requested access time has elapsed.

In practice, what happens is that when JIT is enabled for a VM, it adds inbound deny rules to the associated NSG to block access to RDP or other remote management protocol. When a user requests access, JIT adds an allow rule with a lower priority to the NSG, allowing access for a given time from a defined IP address or range of addresses.

JIT access is part of the Azure Security Center and requires a subscription on the Standard tier. It also requires that the VM was provisioned using Azure Resource Manager (ARM).

Requesting Access to a JIT Access Enabled Virtual Machine

Once JIT access is set up for a VM, users can access the VM by selecting it in the Azure management portal and clicking Request access. The user can then specify which ports to open and for how long. Or accept the default values configured in the JIT access policy. Alternatively, you can use the Invoke-ASCJITAccess PowerShell cmdlet as shown below:

Invoke-ASCJITAccess -ResourceGroupName $ResourceGroupName -VM $VMName -Port 3389  -Minutes $minutes -AddressPrefix $ip

You can also audit JIT access to VMs using log search.

What If I Don’t Have the Security Center Standard Tier?

If you don’t want to pay for the Security Center Standard tier, then you should manually configure NSGs to allow connections to VMs for remote management from a restricted set of IP addresses. But remember, this method isn’t as secure as JIT because IP addresses can be spoofed and threats can come from inside your corporate network. So, it’s always best to open connections for a limited time, even from trusted IP addresses. If you want to configure NSGs manually, read my article Configuring Network Security Groups in Microsoft Azure on Petri.

JIT access is a welcome addition to Azure, is easy to set up and use, and should be mandatory for all VMs that you deploy in the cloud. For detailed instructions on how to enable JIT access in Azure, see Aidan Finn’s article Azure Just In Time Virtual Machine Access on Petri.

by Russell Smith
Feb 6, 2018

Editorial Director at Petri IT Knowledgebase. Russell has more than 20 years' experience working in IT. From small business to large government IT infrastructure projects. Russell started his writing career for Windows IT Pro magazine in the early...

Streamlining SaaS Governance: How Nudge Security Simplifies Compliance and Security Management for Cloud Apps

Oct 30, 2023
Nov 03, 2023
The Ultimate Guide to Web Application Firewalls (WAF)

Jun 20, 2023
The Dirty Truth About IT Offboarding Automation

Jul 21, 2023
Aug 25, 2023

Take our survey

PETRI NEWSLETTERS

Join Petri Insider

Create a free account today to participate in forum conversations, comment on posts and more.