Configuring Just in Time (JIT) VM access by using Azure Security Center
In this tutorial, we will learn and understand about configuring Just in Time (JIT) VM access using Azure Security Center. In this you will learn about:
- Firstly, enabling JIT on your VMs. That is to say, you can enable JIT with your own custom options for one or more VMs using Security Center, PowerShell, or the REST API.
- Secondly, requesting access to a VM that has JIT enabled. The motive of JIT is to ensure that even though your inbound traffic is locked down, still the Security Center provides easy access for connecting VMs when necessary.
- Lastly, auditing the activity. This ensures that your VMs are secured appropriately, review the accesses to your JIT-enabled VMs as part of your regular security checks.
Enable JIT VM access
You can enable JIT VM access using your own custom options for one or more VMs using Security Center or programmatically.
On the other hand, you can enable JIT using default, hard-coded parameters, from Azure Virtual machines.
Enabling JIT on VM from Azure Security Center
When a VM enables JIT, then you have to request access to connect to it. You can also request access in any of the supported ways, regardless of how you enabled JIT.
- Firstly, from Security Center’s menu, select Just-in-time VM access.
Now, the Just-in-time VM access page open the VMs grouped into the following tabs:
- Firstly, configured. The VMs that have been already configured for supporting just-in-time VM access. For each VM, the configured tab shows the number of approved JIT requests in the last seven days, the last access date and time, etc.
- Secondly, not configured . This means the VMs without JIT enable, but can support JIT.
- Lastly, unsupported. This means the VMs without JIT enabled and which don’t support the feature.
- Secondly, from the Not configured tab, mark the VMs to protect with JIT and select Enable JIT on VMs.
Next, the JIT VM access page opens listing the ports that Security Center recommends protecting:
- 22 – SSH
- 3389 – RDP
- 5985 – WinRM
- 5986 – WinRM
For accepting the default settings, select Save.
- Thirdly, for customizing the JIT options:
- Adding custom ports with the Add button.
- Modifying one of the default ports, by selecting it from the list.
For each port the Add port configuration pane offers the following options:
- Protocol
- Allowed source IPs
- Maximum request time
Further, in this set the port security to your needs. And, select OK.
- Lastly, select Save.
Editing the JIT configuration on a JIT-enabled VM using Security Center
You can do the modification in a VM’s just-in-time configuration by adding and configuring a new port for protection of that VM.
For editing the existing JIT rules for a VM:
- Firstly, from Security Center’s menu, select Just-in-time VM access.
- Secondly, from the Configured tab, right-click on the VM to which you want to add a port, and select edit.
- Thirdly, under JIT VM access configuration, you can either edit the existing settings of an already protected port or add a new custom port.
- Lastly, after finishing editing the ports, select Save.
Requesting JIT access from Azure Security Center
After enabling JIT, you have to request access to connect to it. Moreover, you can request access in any of the supported ways:
- Firstly, from the Just-in-time VM access page, select the Configured tab.
- Secondly, mark the VMs you want to access.
- Thirdly, select Request access. The Request access window opens.
- Then, under Request access, for each VM, configure the ports that you want to open and the source IP addresses that the port is opened on and the time window for which the port will be open. However, it will only be possible to request access to the configured ports. Every port has a maximum allowed time that derives from the JIT configuration.
- Lastly, select Open ports.
Auditing JIT access activity in Security Center
You can acquire insights into VM activities using log search. For viewing the logs:
- Firstly, from Just-in-time VM access, select the Configured tab.
- Secondly, for the VM that you want to audit, open the ellipsis menu at the end of the row.
- Thirdly, select Activity Log from the menu. However, the activity log provides a filtered view of previous operations for that VM along with time, date, and subscription.
- Lastly, for downloading the log information, select Download as CSV.
Reference: Microsoft Documentation