Consider for a moment, the attack vector on your virtual machines. You may have some ports exposed to the public internet , however these are likely to be protected using Next Generation Firewalls and perhaps even a DDoS scrubbing service from your ISP.
Perhaps the largest attack vector are your management ports such as SSH, RDP and WMI to name but a few. When these ports are open, it allows anyone to try and obtain access whether it is a authorised or not.
This is where ‘Just in Time Virtual Machine Access’ steps in to reduce your overall attack surface. Access to management ports are closed and access is only granted from either trusted IP’s or per request.
How Does It Work
Just in Time (JIT) works in conjunction with Network Security Groups (NSG) and Role Based Access Control (RBAC) to open up management ports on a timed basis.
- Works for VMs which are both public and private accessible
- Requires write access the VM
The second point makes perfect sense, we have customers who have read access to certain elements within the Azure portal to review logs or performance charts, but aren’t allowed access to the virtual machines.
To gain access on a desired management port, the requester must have ‘Contributor’ rights to the VM. Which means that the following points need to be considered:
- The requester requires an Azure AD Account
- RBAC configuration
- Access for third parties using Azure B2B
At the time of writing, you can define the following conditions per VM policy:
- Protocol (TCP/UDP)
- Allowed Sources either Per Request or IP Range
- Maximum Request Time 1 to 24 Hours
Once the JIT policy has been applied to the VM. A user logs into the Azure Portal and then has to open Security Center. From within this they need to select Just in time VM access, select the VM and ‘Request Access’ choosing the Ports and Time Frame required.
The process to enable JIT is straight forward but does require some detailed consideration on how RBAC is configured.
Requesting access to a VM is currently quite clunky it would be great if a JIT portal was available for this purpose.