Saturday, February 3, 2018

Getting started with Azure Just-in-time VM Access

Azure security center currently has a preview service called Azure Just-in-time VM Access.  The goal of this service is to allow users to request access to Azure VMs, rather than having standing access granted.  The goal of this post is to discuss some of the concepts around this service, and how to enable.

How it works

The premise behind Just-in-time access is pretty simple.  When onboarding a VM, you can specify what ports you want to control.  The VM itself must be protected by a network security group.  When you project a particular port, you will see the following changes to the corresponding network security group.



When access is requested (and auto granted), Azure will add rules that look like the following:




When making an access request, you have to specify a duration for the request.  At the end of the duration, you'll see that this rule is deleted.

Activity Logs

From an activity log perspective, you will see a write against the network security group, and this will have been initiated from the Azure Security Resource Provider.




How to set it up

Setting up this service on a VM is pretty easy, and the documentation located at here is pretty accurate.

In short:

- You need to have the standard tier of ASC and be using this on an ASC onboarded VM.
- You need to have a network security group protecting the target VM

Go into ASC and head to the "Recommended tab"
 


 After selecting a VM, you can specify which ports you'd like to protect with this service.



Each rule can be configured appropriately.  You can pre-specify the source, or allow the request to specify it.  You can specify the max time range (which also ends up being the default) for the request.  You can also specify the ports.  The recommendations seem to be static, and do not take into account the protected resource.

In conclusion, removing standing access to protected resources is an important security measure.  Since these requests are backed by the authentication provided by Azure Active Directory, you get all the added security benefits of that service to govern/control/audit the access requests.  Turning this feature on, at least for your bastion hosts.