Monthly Archives: August 2017

Just in time Access for Virtual Machines in Azure

The issue with sometimes having a virtual machine on Microsoft Azure is that if it is publicly accessable that the IP is uses is on a known IP range (Microsoft publishes the IP ranges here – –> https://www.microsoft.com/en-us/download/details.aspx?id=41653 which will make those IP addresses quite popular by hackers using different brute force mechansims. (Having a VM available on Azure for 5 hours, I got about 1500 authentication attempts)

Just in time scenario

 

So therefore it is always recomended to lock down your virtual machines using network security groups and only give access when needed. Of course this is a cumbersome process because then you need to go in and alter the NSG rules when someone needs access. Luckily Microsoft recently released in preview, Just-in-time access for virtual machines using Azure Security Center.

NOTE: The just in time feature is in preview and available on the Standard tier of Security Center (Which can be setup on using trial in standard of 60 days) and only supports virtual machines using Azure Resource Manager.

This feature allows us to grant access to a virtual machine on a specific service such as SSH or RDP in a set amount of time for instance 3 hours and then the feature will revert the NSG rules back to the orginal configuration.

In order to use the feature we have to enable JIT access on our virtual machines

Enable just in time access

Here below I have virtual machines which are configured already by JIT access. We can only configure virtual machines that have a NSG attached to it.

image

From here I can select a VM and request access (all requests and approval access is logged) and I can also specify ports, access source IP and time range (default is 3 hours)

image

And note that this module does not log any activity going on inside the virtual machine, this should be used in conjuction with Log analytics which can do security logs gathering from inside the guest OS and there you can track all the access that happend in the interval on which a virtual machine was available for Remote Access.

In order to use this feature using PowerShell, you need to have the latest Azure PowerShell cmdlets and also the Azure Security Center Cmdlets or you can use the UI to setup the access
and from there on invoke access using PowerShell.

Get the latest module here –> https://www.powershellgallery.com/packages/Azure-Security-Center/0.0.12

Install-Module -Name Azure-Security-Center (NOTE: New version came out today 04/08/2017)

Then you need to login to your Azure subscription using PowerShell
In order to invoke a JIT session for a virtual machine you run the command

Invoke-ASCJITAccess -ResourceGroupName nameofresourcegroup -VM nameofvm -Port portyouwanttoopen -Hours 3

NOTE: I had some issues because of regional setup on my computer using the Azure Security Module