If you are running servers in Azure, and especially if they have a public IP address, you will want to lock down incoming traffic to these VMs as much as possible. In particular, ports used for remote administration as they are a common target for hackers.
As well as standard measures, such as Network Security Groups (NSG) and Azure Firewall, Microsoft Azure offers Just-in-time (JIT) VM access via the Azure Security Centre.
JIT minimises the risk of a brute force attacks against common ports (or any ports you define) by creating NSG and Azure Firewall (if needed) rules to lock down inbound traffic to a VM. These ports are configurable when you set up JIT by default the ports that are managed are:
- 22 – SSH
- 3389 – RDP
- 5985 – WinRM
- 5986 – WinRM
When access is requested, assuming the requestor has the required permissions, the Azure Security Center automatically configures the Network Security Groups (NSGs) and Azure Firewall to allow inbound traffic to the selected ports, from the requested source IP addresses, for the time specified.
Our requirement today was to grant JIT access to Azure VMs which have a public IP address whilst using the principle of least privilege and giving the minimum possible rights over the VM within the Azure portal. This was to allow an external service provider to log into the Azure portal and request JIT access for specific servers without being granted any additional privileges.
Over the next couple of days, I’m going to cover the following topics:
- Implementing Just-in-time VM Access in Azure Security Center
- Implementing Just-in-time VM Access in VM page
- Role-based access controls (RBAC) in Azure
- Creating custom RBAC rules
- Granting JIT access to VMs via RBAC using the principle of least privilege
This will hopefully help people start using JIT and ultimately lead to more secure environments for your internet-facing VMs.