Hi there
In this post I’d like to show you JIT (just-in-time) and how it works
JIT will create an inbound rule on a NSG (Network Security Group) associated to a VM (Virtual Machine) allowing traffic on the following ports 22, 3389, 5985 or 5986 by up to 24 hours.
- setup JIT in Azure Security Center
- double check your Virtual Machine \ Networking (inbound port rules)
Step #1 – Enable / Configure JIT for the VMS you’d like to test
Go to Azure Portal \ Home \ All services and search for Security Center and click on it.
TIP: use the same Azure Security Center to enable and request access the VM (users need access to Azure Portal or via PowerShell to do so).
At Azure Security Center blade navigate to ADVANCED CLOUD DEFENSE \ Just in time VM access
Now you can see Virtual Machines and 03 sub menus:
- Configured
- Not Configured
- Unsupported
Select Not Configured to enable JIT on your VM
If the VM’s list is large click on search and add your VM in there
VM-FS01 is our demo vm for this article.
Search for VM-FS01
Select the VM VM-FS01 and click the blue button “Enable JIT on X VMs”
Switch back to the Configured menu and check if the VM has JIT enabled already.
If JIT is already enabled you’ll see the option “Request access” in blue when you select the VM-FS01 virtual machine.
Click on “Request access”
on the next screen (new blade) toggle On for the port you want to enable, for this we’re using 3389 then select IP Range and add the ip range where your traffic is coming from.
TIP: if you’re connecting from internet you need to add the public source IP address to allow this connection to come through. In this article I’m connected to a Point-to-site vpn on azure with 10.13.1.0/24 IP block.
Add 10.13.1.0/24 as the IP range and select the Time range in hours. (after this time the rule will be disabled from the VM NSG).
Enter a request justification and click on Open ports (will be in blue if you’ve added / selected all prerequisites for this request.
You can check the activity logs for the specific vm and check JIT audit logs
Now you’re able to connect using MSTSC (RDP on 3389) to VM-FS01 vm
Step #2 – Check VM NSG rules
If you click on the VM \ Networking you’ll see an entry named SecurityCenter-JITRule-292389437-9DDC142A624B43E8903EC815DA81234E referring to the JIT request you’ve submitted and that is in place with high priority.
For this test I disabled Azure default settings (allow tcp from any to VM on tcp ort 3389 / RDP)
You can also enable JIT within the VM
- select the VM
- go to Settings \ Configuration and follow the wizard from there
If you can not access the VM with your admin account you can reset the VM password. Learn how – click here.
Thanks,
Thiago Beier
