Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Just-In-Time Access for Virtual Machines

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: VirtualMachines-021

Ensure that Just-in-Time (JIT) access is enabled for your Azure virtual machines (VMs) in order to allow you to lock down inbound traffic to your VMs and reduce exposure to attacks while providing easy SSH/RDP access when needed.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Microsoft Azure Security Center provides multiple threat prevention instruments to help you reduce surface areas susceptible to attacks such as brute-force and DDoS attacks. One of those instrument is Just-in-Time (JIT) access to virtual machines. JIT access feature enables you to lock down your virtual machines at the network level by blocking inbound traffic to management ports such as 22 (SSH) and 3389 (RDP). Once the feature is enabled for your VMs, you can create a policy that determines the ports to be protected, how long ports remain open, and the approved IP addresses from where these ports can be accessed. This allows you to control the access and reduce the attack surface to your virtual machines, by allowing access only upon a specific need.

Note: Just-in-Time (JIT) access feature is available as part of the Azure Security Center standard tier.​


Audit

To determine if your Azure virtual machines are configured to use Just-in-Time access, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Virtual machine to show the virtual machines launched within the selected subscription.

05 Click on the name of the virtual machine (VM) that you want to examine.

06 In the navigation panel, under Settings, select Configuration, then check the Just-in-time access configuration section. If Enable just-in-time button is displayed within this section, the Just-in-Time (JIT) access feature is not enabled for the selected Microsoft Azure virtual machine.

07 Repeat step no. 5 and 6 for each Azure virtual machine available in the selected subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run vm list command (Windows/macOS/Linux) using custom query filters to list the ID of each virtual machine (VM) deployed in the current Azure subscription:

az vm list
	--query '[*].id'

02 The command output should return the requested Azure virtual machine ID(s):

[
"/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-linux-sever-wm",
"/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-windows-server-vm",
"/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-internal-server-vm"
]

03 Run security jit-policy list command (Windows/macOS/Linux) with custom query filters to list the ID(s) of the Azure virtual machine(s) configured to use Just-in-Time (JIT) network access policies:

az security jit-policy list
	--query '[*].virtualMachines[*].id | []'

04 The command output should return the requested virtual machine (VM) identifiers:

[]

If the security jit-policy list command output returns an empty array (i.e. []), as shown in the example above, there are no Microsoft Azure virtual machines (VMs) configured to use Just-in-Time (JIT) access. If the command output returns one or more VM IDs, compare these IDs with the ones listed at step no. 2 to determine which virtual machine is not associated with a Just-in-Time (JIT) network access policy.

05 Repeat steps no. 1 – 4 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To enable Just-in-Time (JIT) network access for your Microsoft Azure virtual machines, perform the following actions:

Note 1: To be able to use JIT access feature for your VMs, you need to ensure that Security Center standard pricing tier is enabled within your Azure account subscription. If the Security Center standard pricing tier is not enabled, follow the steps outlined in this conformity rule to activate the standard tier.

Note 2: As example, this conformity rule will demonstrate how to enable and configure JIT network access on port 22 (SSH) for a Linux VM instance.

Note 3: Enabling Just-in-Time (JIT) network access for Microsoft Azure virtual machines using Azure Command Line Interface (CLI) is not currently supported, the feature can be enabled and configured only with Azure Management Console (Azure Portal).

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Virtual machine to show the virtual machines available in the selected subscription.

05 Click on the name of the virtual machine (VM) that you want to reconfigure (see Audit section part I to identify the right resource).

06 In the navigation panel, under Settings, select Configuration, then click on the Enable just-in-time button to enable Just-in-Time (JIT) access for the selected virtual machine.

07 Once JIT network access is enabled, click on the Open Azure Security Center link to redirect to the Azure Security Center, where Just-in-Time (JIT) access feature is managed for your VMs.

08 On the Just in time VM access page, select the virtual machine that you want to reconfigure, click Request access, then perform the following operations:

  1. Under Toggle, select On to allow JIT access on the specified port (in this case port 22 - SSH).
  2. Under Allowed Source IP, select My IP to allow access from your current IP address or select IP range to use an IPv4 range instead. Type the necessary IPv4 range in the IP range box. Once an IP/IP range is configured, any other source IPs will get denied access.
  3. Under Time range (hours), set the time window in hours necessary for JIT network access. When this time has expired, Azure Security Center will automatically remove the allowed JIT access rule and block the access on the specified port.
  4. Click Open ports to apply the changes and initiate the JIT network access request. Once the request is approved, Azure Security Center will automatically configure the VM Network Security Groups (NSGs) to allow inbound traffic to the specified port for the requested amount of time (hours), after which it restores the NSGs to their previous states.

09 Repeat steps no. 5 – 8 to enable and configure Just-in-Time (JIT) access for other Azure virtual machines deployed in the selected subscription.

10 Repeat steps no. 3 – 9 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Feb 3, 2020