Managing Just-in-Time (JIT) Access for Azure Virtual Machines

Managing Just-in-Time (JIT) Access for Azure Virtual Machines

01/10/2024

This technical and educational article aims to guide security analysts, IT administrators, and systems engineers in implementing and managing Just-in-Time (JIT) Access for Azure Virtual Machines (VMs). JIT is a fundamental security feature offered by Microsoft Defender for Cloud that helps protect VMs against unauthorized access attacks, dramatically reducing the network attack surface by limiting access to management ports only when and for as long as strictly necessary [1].

Introduction

In cloud environments, Virtual Machines are often targets of brute force attacks and port scans, especially those with management ports (such as RDP 3389 and SSH 22) exposed to the internet. Keeping these ports open continually creates an unnecessarily large attack surface, increasing the risk of compromise. JIT Access solves this problem by allowing security teams to block inbound traffic to VMs by default and open management ports only on demand, for a limited period of time, and from specific IP addresses. This approach follows the principle of least privilege and Zero Trust, ensuring that access is granted only when justified and for the shortest possible time [2].

This practical guide will cover the prerequisites for enabling JIT, the configuration process through Microsoft Security Center, how to request and approve JIT access, integration with security alerts, and best practices for effective management. Step-by-step instructions, example Azure CLI commands and instructions will be provided so that the reader can implement and validate the JIT, strengthening the security of their Azure VMs and protecting them against unauthorized access threats.

Why is Just-in-Time (JIT) Access crucial for Azure VMs?

  • Attack Surface Reduction: Closes VM management ports by default, exposing them only when and for as long as necessary, minimizing opportunities for attackers.
  • Granular Access Control: Allows you to specify which users can request access, which ports can be opened, for how long and from which source IP addresses.
  • Compliance: Helps meet compliance requirements that require tight control over access to critical resources.
  • Visibility and Auditing: Provides detailed logs of all JIT access requests, approvals, and port openings/closings, facilitating security auditing and investigation.
  • Integration with Defender for Cloud: Fully integrated with Microsoft Defender for Cloud, leveraging its security posture management and threat protection capabilities.
  • Automation: Can be automated to approve access in specific scenarios, such as incident response or scheduled maintenance operations.

Prerequisites

To implement JIT Access for Azure Virtual Machines, you will need the following items:

  1. Active Azure Subscription: An Azure subscription to create and manage resources.
  2. Administrative Access: An account with the role of Owner, Contributor or Security Administrator in the Azure subscription, or in the resource group where the VMs are located.
  3. Microsoft Defender for Cloud Standard (or Defender for Servers): JIT is a premium feature of Microsoft Defender for Cloud and requires the Defender for Servers plan to be enabled on the subscription containing the VMs [3].
  4. Existing Azure Virtual Machines: Azure VMs that you want to protect with JIT. For this tutorial, we'll assume you already have VMs deployed.
  5. Azure CLI or Azure PowerShell: Installed and configured command-line tools to interact with Azure.

Step by Step: Enabling and Managing JIT Access

Let's configure the JIT for your Azure VMs.

1. Enabling the Defender for Servers Plan

As mentioned in the prerequisites, JIT requires the Defender for Servers plan activated.

  1. Open your browser and navigate to the Azure portal: https://portal.azure.com.
  2. Log in with an account that has the necessary permissions.
  3. In the top search field, type Defender for Cloud and select it from the results.
  4. In the Defender for Cloud dashboard, select Environment Settingsand in the left navigation pane.
  5. Select the Azure subscription that contains your VMs.
  6. On the Defender plans page, make sure the Defender for Servers plan is Activated. If it is not, click Enable and follow the instructions to enable it.

2. Enabling JIT Access for VMs

You can enable JIT for individual VMs or for multiple VMs at once.

  1. In the Defender for Cloud dashboard, select Workload Protection in the left navigation pane.
  2. Scroll down to the Advanced Protection section and click on Just-in-Time VM Access.

  3. Under the Virtual Machines tab, you will see three sub-tabs: Configured, Recommended and Not Configured.

    • Recommended: Lists the VMs that Security Center recommends protecting with JIT.
    • Not configured: Lists VMs that are not JIT protected but are eligible.

  4. Select the VMs in the Recommended or Not Configured tab for which you want to enable JIT.

  5. Click Enable JIT on VM.

  6. Configure JIT Policy: For each selected VM, you can configure the following options:

    • Ports: The management ports that will be protected (ex: 22, 3389, 5985, 5986). You can add custom ports.
    • Protocol: The protocol for each port (e.g. TCP, UDP).
    • Maximum request time: The maximum time (in hours) that a door can be open after an approved request. The default is 3 hours.
    • Approved source IP addresses: Optional, but highly recommended. Restricts access to specific IPs or IP blocks. By default it is Any (*), which means any IP can request access.

  7. Click Save to apply the JIT policy to the selected VMs.

3. Requesting Just-in-Time Access to a VM

When a user or administrator needs to access a JIT-protected VM, they must request access.

  1. In the Security Center dashboard, select Workload Protection > Just-in-Time VM Access.
  2. In the Virtual Machines tab, select the VM you want to access (it should be in the Configured tab).

  3. Click Request Access.

  4. In the Request Access window, specify:

    • Doors: The doors you need to open.
    • Source IP Address: The public IP address from which you will connect. You can select My IP Address (your device's current public IP) or Custom to specify an IP or CIDR.
    • Time Period: The duration of access (limited by the Maximum Request Time configured in the JIT policy).
    • Justification: A brief description of the reason for the access request.

  5. Click Open Ports.

    • Note: If the JIT policy requires approval, the request will be sent to the configured approvers before the ports are opened.

4. Approving JIT Access Requests (if configured)

For scenarios where approval is required (via Azure Logic Apps or Azure Functions), the process may vary. By default, JIT opens ports immediately upon request unless a workflow automation is configured.

  • Tip: For approval workflows, you can use Azure Logic Apps to monitor Azure audit logs or Azure Security Center events and trigger an approval process (e.g., email a security group for manual approval).

5. Checking JIT Access Status

After requesting access, you can check the status on the portal.

  1. In the Security Center dashboard, select Workload Protection > Just-in-Time VM Access.
  2. In the Virtual Machines tab, the VM you requested access to should show a status indicating that access is Active or Pending (if approved).
  3. The Time Remaining column will show how much access time is left.

6. Disabling JIT Access (Optional)

If you need to disable JIT for a VM, follow these steps:

  1. In the Security Center dashboard, select Workload Protection > Just-in-Time VM Access.
  2. In the Virtual Machines tab, select the configured VM.
  3. Click Disable JIT on VM.

Validation and Testing

Validating the effectiveness of JIT Access is crucial to ensuring that your VMs are protected and that access can be granted when necessary.

1. Testing D-Blockand Standard Access

  1. Try to access a management port (e.g. RDP 3389 or SSH 22) from a JIT-protected VM without requesting JIT access.
    • Expected Result: The connection should be refused or timed out as ports are closed by default.

2. Testing Approved JIT Access

  1. Request JIT access to the desired VM and port using its public IP address.

  2. After approval (or immediate opening if no approval is configured), try to access the VM via RDP or SSH from the same public IP address.

    • Expected Result: The connection should be successful.

  3. Wait until the JIT access time expires (or manually cancel access).

  4. Try accessing the VM again.
    • Expected Result: The connection should be refused again.

3. Checking Audit Logs

All JIT operations are logged in Azure audit logs, providing a complete trail of who requested what, when, and from where.

  1. In the Azure portal, navigate to your resource group or specific VM.
  2. In the left navigation pane, select Activity Log.
  3. Filter for events related to Just-in-Time VM Access or Microsoft.Security/locations/jitNetworkAccessPolicies.
    • You will see events such as JIT network access policy created, JIT network access policy requested, JIT network access policy approved (if applicable) and JIT network access policy closed.

Security Tips and Best Practices

  • Principle of Least Privilege: Configure JIT policies to grant the least privilege possible – the exact ports needed, for the shortest time possible, and from the most restricted source IPs.
  • Restrict Source IP Addresses: Whenever possible, specify source IP addresses in the JIT policy and access requests. Avoid using Any (*) for source IPs.
  • Short Time Periods: Set the maximum request time to the shortest reasonable period of time (e.g. 1-2 hours), forcing users to re-evaluate the need for access.
  • Monitoring and Alerts: Configure alerts in Azure Monitor for JIT access requests, especially for critical ports or unexpected IPs. Integrate these alerts with your SIEM (e.g. Microsoft Sentinel).
  • Workflow Automation: For environments with strict approval requirements, use Azure Logic Apps or Azure Functions to create custom approval workflows for JIT requests.
  • Documentation and Training: Clearly document JIT access policies and train users on how to request access and the importance of following security best practices.
  • Periodic Review: Regularly review JIT policies and access logs to ensure they remain relevant and effective.
  • Combine with NSGs and Azure Firewall: JIT complements other layers of network security, such as Network Security Groups (NSGs) and Azure Firewall. Use them together for defense in depth.

Common Troubleshooting

  • Unable to enable JIT for a VM: Verify that the Defender for Servers plan is enabled for the VM subscription. Make sure the VM is not in an invalid state or that there are no conflicting settings.
  • Unable to request JIT access: Make sure you have the necessary permissions (e.g. Collaborator or Virtual Machine Just-in-Time Access Operator) to request access. Make sure the VM is configured for JIT and the ports are defined in the policy.
  • Connection refused after JIT request: Check that the source IP address you specified in the JIT request matches the public IP of your device. Confirm that the time period has not expired. Verify that there are no additional NSGs or firewall rules blocking traffic after opening the JIT port.
  • Wrong ports open: Check the JIT policy configured for the VM to ensure the correct ports are listed. If you are using the Azure CLI, check the port parameters.
  • JIT Access Security Alerts: Investigate any JIT-related security alerts. This may indicate an unauthorized access attempt or incorrect configuration.
  • VM performance affected: The JIT itself should not affect VM performance. If there are problems, investigate other components of the VM or network.

Conclusion

OJust-in-Time (JIT) Access management for Azure Virtual Machines is an essential security strategy for protecting your cloud resources against unauthorized access threats. By closing management ports by default and only opening them on demand, JIT significantly reduces the attack surface, strengthens your security posture, and helps you meet compliance requirements. Effective implementation of JIT, combined with security best practices and continuous monitoring, ensures that your VMs remain secure and accessible only to legitimate users and purposes. With this practical guide, security professionals will be well-equipped to configure, validate, and manage JIT Access, making their Azure Virtual Machines more resilient and protected.

References:

[1] Microsoft Learn. What is JIT (just-in-time) access to the VM?. Available at: https://learn.microsoft.com/pt-br/azure/defender-for-cloud/just-in-time-access-overview [2] Microsoft Learn. Enable just-in-time access on VMs. Available at: https://learn.microsoft.com/pt-br/azure/defender-for-cloud/just-in-time-access-usage [3] Microsoft Learn. Manage server security with Microsoft Defender for Cloud. Available at: https://learn.microsoft.com/pt-br/azure/defender-for-cloud/tutorial-enable-servers-plan [4] Microsoft Learn. Manage JIT (just-in-time) access to your VMs using PowerShell. Available at: https://learn.microsoft.com/pt-br/azure/defender-for-cloud/just-in-time-access-powershell