Loading
svg
Open

How to Harden Azure Virtual Machines with Just-In-Time Access

November 30, 20235 min read

Hardening Azure Virtual Machines (VMs) involves implementing security measures to protect against unauthorized access and potential threats. One effective method to achieve this is by using Just-In-Time (JIT) access, which is a feature available in Azure Security Center. JIT access helps to reduce the attack surface by enabling access to VMs only when needed and for a limited time. Below, I’ll detail the steps and considerations for hardening your Azure VMs with JIT access.

Understanding Just-In-Time Access

Before implementing JIT access, it is important to understand how it works:

  • JIT access dynamically controls the network traffic to your VMs by managing the Network Security Group (NSG) rules.
  • Access is granted to users for a specific amount of time after which the NSG rules are automatically adjusted to close the ports.
  • It reduces the risk of attack while providing flexibility for legitimate users to gain access when necessary.

Prerequisites

To implement JIT access, ensure you have:

  • An Azure subscription.
  • Azure Security Center Standard tier enabled.
  • VMs that are protected by NSGs.
  • Necessary permissions to configure JIT policies and request JIT access (usually Security Admin role).

Configuring JIT on Azure VMs

Step 1: Enable Just-In-Time in Azure Security Center

  • Navigate to the Azure Security Center in the Azure portal.
  • Choose the “Security Policy” from the main menu.
  • Ensure that the appropriate subscription is selected and the standard tier is enabled.
  • Scroll down to the “Just-In-Time VM Access” and turn it on.

Step 2: Enable JIT on Virtual Machines

  • In the Security Center dashboard, go to the “Just-In-Time VM Access”.
  • Click on “Try Just-In-Time VM access”.
  • A list of your VMs will appear. You can select one or multiple VMs on which to enable JIT access.
  • Click on “Enable JIT on 1 VM” or the corresponding number of selected VMs.

Step 3: Configuring JIT Policy

  • For each VM, configure the JIT policy by specifying:
    • Ports to be protected (e.g., RDP, SSH, or custom ports).
    • Approved IP ranges that can request access.
    • Maximum request access time window (e.g., 1-24 hours).

Step 4: Setting the Rules

  • After configuring the policy, set the NSG rules to define who can enable JIT and under which conditions.
  • Click “Save” to apply the JIT policies to your selected VMs.

Requesting Access to a JIT-Protected VM

Step 1: Request JIT Access

  • Go to Azure Security Center and select “Just-In-Time VM Access”.
  • Find the VM for which you need access and click “Request access”.
  • Specify the port number you want to access and the time window.

Step 2: Approve the Access Request

  • Depending on your organization’s policies, the request may need approval from the Security Admin or other designated roles.
  • Once approved, the NSGs associated with the VM automatically update to allow traffic for the requested time.

Step 3: Access the VM

  • Connect to the VM using the allowed protocol (RDP, SSH, etc.) within the approved time frame.

Step 4: Automatic Lock

  • After the approved time window has elapsed, Azure Security Center automatically reverts the NSG rules, closing the ports.

Monitoring and Auditing

  • Monitor the JIT access events from the Azure Security Center’s “Activity log”.
  • Review audit logs regularly to track who has requested access, for which VMs, and for how long to ensure compliance and detect any unusual access patterns.

Best Practices

  • Limit the number of users who can approve JIT requests.
  • Review and update JIT policies periodically to align with changing security needs.
  • Avoid granting JIT access for extended periods, and use the minimum necessary time window.
  • Enable multi-factor authentication (MFA) for users who can approve JIT requests to enhance security further.

By following these detailed steps and applying best practices, you can significantly harden your Azure VMs by enabling Just-In-Time access, thus reducing their attack surface and bolstering your cloud security posture.

Loading
svg