Just-in-Time Access on VMs in Microsoft Azure
Introduction
When a user requires access to a VM, they can go to the Azure portal and locate the VM that they need access to. They then select a ‘Connect’ option which will present them with a list of users who are approved to access the VM, and a list of RDP/SSH endpoints that are available for the VM.
Just-in-Time VM Access is a control plane that is designed to lock down inbound traffic to your virtual machines. It enables you to control which users can access which VMs, and what they can do while logged in to a VM. JIT works for RDP and SSH traffic.
It is the primary focus of any virtual infrastructure to provide secure access to resources. Securing the virtual machines is not different from securing any other resource. Secure access from a known point (approved user/machine) is ideal. But there will always be times when access is needed from a new machine or an untrusted user.
When a user attempts to connect to a VM that has just-in-time access policies defined, RDP and SSH access to the VM will be blocked. The user will then have to submit a request to gain access. The requests are submitted through the Azure portal. On the VM resource blade in the portal, there will be an option to “Request access”. Once this option is clicked, the user can select the date and time that they will need access. To do this, we have a start and end datetime picker. When the request is submitted, if the user has RBAC permissions to the subscription and resource, then the request will be auto-approved and the user will immediately be granted access. If the user does not have the required permissions, then the request will be sent to an admin who can approve or deny the request. This is all done through the just-in-time access feature and at no point does the user actually enable the port from the Network Security Group.
Just in Time VM Access is an amazing feature of Azure Security. It is an access control feature that provides an extra layer of security for resources in Azure. Customers will be able to lock down their VMs and will not have to open any inbound ports to be able to access them. They simply open a time range for when they need access and just-in-time access will automatically enable the ports for the VM for the specified amount of time. This feature will help to protect customers’ VMs by reducing exposure to attacks while providing easy access to connect to VMs when needed.
Benefits of Just-in-Time Access
Prevent port scanning for resources:
Locking down inbound traffic to your VMs prevents attackers from scanning your VMs on open ports, thus providing additional protection against unauthorized access. With JIT, when a user requests access, it is logged allowing for trackability so that there is visibility of who is accessing a VM. This occurs when the user has to request access and approves the request, JIT will then provision access for the user, providing a time window that the user can access the VM, after which the ports are closed again.
Controlled access over Azure VMs:
JIT provides a way to control RDP and SSH access to Azure VMs by locking down inbound traffic to resources, providing just-in-time access when needed enabling you to have peace of mind, while knowing that you can get access when you need it, thus greatly reducing exposure to attacks.
Conclusion:
Prepare for the unexpected! feel relaxed when you have successfully enabled JIT for all your VMs. With JIT, you can sleep well knowing that you have an additional layer of security to protect against the odds. The benefits sum up why you should enable JIT right away!
Kindly take your time to watch the demo video to enable just-in-time access on your virtual machines.
0 Comments