Azure Just in Time (JIT) Access is a security feature that allows administrators to grant temporary access to Azure resources on an as-needed basis. This helps prevent the use of static credentials.
By using JIT Access, you can reduce the attack surface of your Azure resources and minimize the impact of a potential breach. This is especially important for sensitive resources that require regular access.
JIT Access works by creating a temporary session that grants access to a specific resource for a set period of time. This session can be terminated at any time, even if the user is actively using the resource.
Temporary sessions are automatically deleted after a specified period, which can be set by the administrator. This ensures that access is only granted when needed and for a limited time.
Enabling Azure JIT Access
You can enable Azure just-in-time (JIT) access from the Microsoft Defender for Cloud page. Select Workload protections and then Defender for Cloud coverage.
To enable JIT on a VM, select Just-in-time VM access and then click on the Not Configured tab to get a list of all the VMs without JIT enabled but which can support JIT. Then, mark a VM that you want to protect with JIT and click on the Enable JIT on 1 VM button.
You can also enable JIT on a VM from the Azure virtual machines pages of the Azure portal. If a VM already has JIT enabled, the VM configuration page shows that JIT is enabled, and you can use the link to open the JIT VM access page in Defender for Cloud to view and change the settings.
To edit existing JIT rules for a VM, open the Workload protections and, in the advanced protections, select Just-in-time VM access. In the Configured virtual machines tab, right-click on a VM and select Edit.
The first thing to do on the JIT VM access configuration page is to delete any default ports that you do not need. For example, you can delete port 5986, 5989, and 22 if you don't need them.
Here's a summary of the ports you can configure for JIT access:
- Port 3389: You can configure the Max request time to set the maximum time window during which this port can be opened. You can also configure the Allowed source IPs to improve security.
- Other ports: You can add custom ports as needed and configure their settings.
To save the port configuration, select Save.
Configuring and Managing
Configuring and Managing Azure Just in Time Access is a crucial step in ensuring the security and compliance of your Azure environment. To configure the PIM Role Activation Settings, you'll need to set the activation duration and whether MFA is required for role activation.
You can configure the activation duration by setting the number of hours the role will remain active for the user in the Activation maximum duration (hours) setting. The default value is eight (8) hours, while the maximum is 24 hours.
The Activation settings also include options to require justification, ticket information, or approval to activate the role. You can choose one or more of these options to add an extra layer of security to your role activation process.
To configure the PIM Role Assignment Settings, you'll need to decide whether to allow permanent eligibility or active assignment, or to expire eligible or active assignments after a certain period. You can choose to expire eligible assignments after a specified time frame, or expire active assignments after a specified duration.
The JIT configuration can be edited on a JIT-enabled VM using Defender for Cloud. You can add and configure a new port to protect for that VM, or change any other setting related to an already protected port.
Configuring PIM Role Assignment
Configuring PIM Role Assignment involves setting up the framework for allocating roles. This includes defining approval requirements and assignment policies.
To configure Assignment settings, you'll need to decide whether users can be permanently designated as eligible for a role. You can enable "Allow permanent eligible assignment" to allow users to be permanently assigned the role eligibility, or you can choose to expire eligible assignments after a certain period.
Alternatively, you can enable "Allow permanent active assignment" to allow users to have a continuous, active assignment for the role without recurring activations. This setting can be helpful for roles where constant access is required.
You can also choose to expire active assignments after a certain period, which helps enforce temporary access and minimizes the risk of prolonged exposure to privileged roles.
Here are the settings for expiring eligible and active assignments:
Once you've configured the assignment settings, remember that this doesn't signify the user has the privilege to do the tasks the role grants. It's only the ability to request, not act.
Edit Enabled Configuration
Editing an enabled configuration is a crucial step in managing your Just-in-Time (JIT) setup. You can modify a VM's JIT configuration by adding and configuring a new port to protect for that VM, or by changing any other setting related to an already protected port.
To edit the existing JIT rules for a VM, you'll need to follow these steps: open the Workload protections, select Just-in-time VM access, and in the Configured virtual machines tab, right-click on a VM and select Edit.
The JIT VM access configuration page will allow you to either edit the list of ports or select Add a new custom port. When you finish editing the ports, select Save.
You can also edit the JIT configuration on a JIT-enabled VM using Defender for Cloud. To do this, open the Workload protections, select Just-in-time VM access, and in the Configured virtual machines tab, right-click on a VM and select Edit.
Alternatively, you can enable JIT on your VMs from Microsoft Defender for Cloud, from the Azure virtual machines pages of the Azure portal, or using PowerShell. Each of these methods will allow you to customize the JIT access settings for your VMs.
Here are the steps for enabling JIT on a VM using PowerShell:
- Use the official Microsoft Defender for Cloud PowerShell cmdlet Set-AzJitNetworkAccessPolicy.
- Close ports 22 and 3389.
- Set a maximum time window of 3 hours for each so they can be opened per approved request.
- Allow the user who is requesting access to control the source IP addresses.
- Allow the user who is requesting access to establish a successful session upon an approved just-in-time access request.
Remember to carefully review and modify your JIT configuration to ensure it meets your organization's security and access needs.
Security and Monitoring
To monitor and manage your JIT-enabled Bastion session, you can go to your Azure Bastion resource and choose Sessions from the Azure Bastion page.
You can validate the added JIT NSG Inbound Security Rules by opening the NSG associated with the subnet where the VM belongs to.
Azure provides a way to audit the JIT access activity in Microsoft Defender for Cloud, which can be accessed by going to the Just-in-time VM access page and clicking the Configured tab.
This page allows you to see all active connections and who initiated them.
To view the Activity log, go to the VM that you want to audit and open the ellipsis menu, then click on Activity Log.
The Activity log provides a filtered view of all operations performed on that particular VM.
Bastion and Networking
Azure Bastion is a fully managed PaaS service that provides secure and seamless RDP/SSH connectivity to your virtual machines directly in the Azure portal over SSL.
It provisions directly in your Azure Virtual Network, acting like a jump server as-a-service, and doesn't require public IPs to access your VMs over RDP/SSH.
You can deploy Azure Bastion per virtual network, making it available to all VMs in the virtual network.
Azure Bastion is designed to withstand attacks, with automatic patching handled by Microsoft to best guard customers against zero-day exploits.
It also provides integrated connectivity using RDP/SSH directly from your browser and the Azure portal experience, eliminating the need for an additional client, agent, or piece of software.
Azure Bastion's architecture allows for easy deployment and minimal maintenance overhead, making it an ideal solution for IT professionals.
Use with Bastion
Using Azure Bastion with your virtual machines offers a secure and seamless way to connect to them directly in the Azure portal over SSL.
Azure Bastion provisions directly in your Azure Virtual Network, acting like a jump server as-a-service, and you don't need public IPs to access your VMs over RDP/SSH.
To use Azure Bastion, you can request access to a VM in various ways, including from the Microsoft Defender for Cloud page, Azure PowerShell, or the Azure virtual machine's connect page.
If JIT is enabled for a specific VM, you'll need to select Request access before connecting, which can take up to around one minute to be approved.
Once approved, you can click on the Bastion tab, enter the required authentication credentials, and then click "Connect" to establish a secure RDP connection to the VM via Bastion.
Azure Bastion provides integrated connectivity using RDP/SSH directly from your browser and the Azure portal experience, eliminating the need for an additional client, agent, or piece of software.
Azure Bastion is designed to withstand attacks and is reinforced by automatic patching, handled by Microsoft, to best guard customers against zero-day exploits.
Here are some key features and benefits of using Azure Bastion:
How Network Resources are Utilized
In Azure, blocking inbound traffic on specific ports is done through just-in-time (JIT) VM access, which Defender for Cloud enables by creating "deny all inbound traffic" rules in the network security group (NSG) and Azure Firewall rules.
These rules restrict access to management ports and defend Azure VMs from attacks. Existing rules on the selected ports take priority over the new "deny all inbound traffic" rules.
If there are no existing rules on the selected ports, the new rules take top priority in the NSG and Azure Firewall. Defender for Cloud configures the NSGs and Azure Firewall to allow inbound traffic to the selected ports from a specific IP address or range for a specified amount of time.
In AWS, Defender for Cloud creates a new EC2 security group that allows inbound traffic to the specified ports. Connections that are already established aren't interrupted when the time has expired and the NSGs are restored to their previous states.
JIT does not support VMs protected by Azure Firewalls controlled by Azure Firewall Manager. The Azure Firewall must be configured with Rules (Classic) and cannot use Firewall policies.
Microsoft and Authentication
You can use Defender for Cloud to work with JIT VM access, or you can programmatically enable JIT VM access with your own custom options.
Just-in-time VM access shows your VMs grouped into three categories: Configured, Not configured, and Unsupported.
Configured VMs are those that have been set up to support just-in-time VM access.
Work with Microsoft
Microsoft offers a range of tools to help you manage your virtual machines, including just-in-time (JIT) VM access. You can use Defender for Cloud or enable JIT with your own custom options.
To work with JIT VM access, you can group your VMs into three categories: Configured, Not configured, and Unsupported. Configured VMs have JIT enabled, while Not configured VMs can support JIT but don't have it enabled yet.
If you're using Defender for Cloud, you can request access to a JIT-enabled VM from the Just-in-time VM access page. Select the Configured tab, choose the VMs you want to access, and then select Request access.
Here are the steps to request access:
- Select the VMs you want to access.
- Select Request access. The Request access window opens.
- Under Request access, select the ports that you want to open for each VM, the source IP addresses that you want the port opened on, and the time window to open the ports.
- Select Open ports.
If you're requesting access from behind a proxy, you can enter the IP address range of the proxy. This is a useful feature to keep in mind when working with JIT VM access.
Enable Microsoft Account
Enabling Microsoft Account is a crucial step in securing your online presence. You can do this by following a few simple steps.
To start, you need to enable Just-in-Time (JIT) on your Virtual Machines (VMs) from Microsoft Defender for Cloud. This will help protect your VMs from unauthorized access.
From Defender for Cloud, you can enable and configure the JIT VM access. To do this, open the Workload protections and select Just-in-time VM access in the advanced protections.
The JIT VM access page will open, listing the ports that Defender for Cloud recommends protecting. You can customize the JIT access by selecting the ports you want to protect.
To save the port configuration, select Save. This will ensure that your VMs are protected with the recommended ports.
By following these steps, you can enable Microsoft Account and secure your online presence.
Sources
- https://wmatthyssen.com/2022/11/28/azure-bastion-combine-jit-with-azure-bastion/
- https://www.compete366.com/blog-posts/securely-connect-to-your-azure-virtual-machines-the-options/
- https://adamtheautomator.com/privileged-identity-management/
- https://learn.microsoft.com/en-us/azure/defender-for-cloud/just-in-time-access-overview
- https://learn.microsoft.com/en-us/azure/defender-for-cloud/just-in-time-access-usage
Featured Images: pexels.com