Automate Just In Time VM Access Request With PowerShell #AzureSecurityCenter #AzureSecurity #ASC #PowerShell

Image Credit: FreeClipart.org

Update! The PowerShell tool is updated to work with the latest Azure RM Security module!!! Please check here.

Introduction

The most frequent attack that we see today is attack on RDP management port (the brute force attack), and Microsoft provides you with capability that you don’t need to have these ports open even for legitimate administrative purposes, you don’t need to have these ports open, with Azure Security Center you can only make these ports available for administration purposes for your virtual machines only when they are required.

Just-in-Time VM access is one of many features that is included in Azure Security Center which is something you should consider for your virtual machines. You can specify rules for how users can connect to virtual machines. When needed, access can be requested from Azure Security Center or via PowerShell. As long as the request complies with the rules, access is automatically granted for the requested time only.

How Just in Time VM Access Works

So what the just-in-time VM access feature actually does, is it really automates the Network Security Group (NSG) exception to let me connect in, by default the VM is locked and it’s blocking any RDP or SSH remote management, and I cannot connect to it, when it’s time for me to do a connection, what actually happens is, I go to Azure Portal, then I go to the Azure Security Center, and I Enable just-in-time VM access for that VM.

Then I specify for how many hours I want to allow access and click OK.

When I need to access my Azure virtual machine, I go to Azure Portal again, then I go to the Azure Security Center, and I Request access for that VM. At this point it work out what is my public facing IP address, and it will go and modify the Network Security Group to allow an exception for whichever protocol I’m selecting be an RDP or SSH or WS management, it will add that exception just for my IP address that I want access just for that period of time, when I enable it now I can go and RDP in from the Internet, when that time expires, it will close that exception so I cannot access it anymore.

And Microsoft recently announced a new configuration option for Just-In-Time VM Access from the virtual machine blade directly to make it even easier for you to reduce your exposure to threats.

So the real benefit of this, if I have to have something public facing to access, maybe this is a Jump Box machine so I connect to it and navigate to other virtual machines, then with the just-in-time VM access I’m not having just an open connection, I’m not even having it always there for my particular IP, instead when I need to access it just in time, I go to the portal, and I say hey, I want to turn this on, Azure Security Center behind the scene will add the exceptions to whichever Network Security Groups (NSGs) there are, now I have to add the NSG there already by either on the vNIC or on the subnet, and it will add the exceptions to either or both, if I have both it will add the necessary exceptions to both of them, so that’s what it’s doing with just-in-time VM access.

Automate Just In Time VM Access Request

I was working lately on a PowerShell tool that will help me to automate just-in-time VM access to my Azure Virtual Machines. So instead of going every time to Azure Portal to enable and request access over and over, I developed that tool to automate the entire process. The script will connect to Azure Security Center endpoint, and then will open the requested port for the time I specified. If Just in Time VM access is not enabled for that VM, the script will enable it, and then request VM access. Additionally, the script will automatically install Azure Resource Manager and Azure Security Center PowerShell modules if they are not installed on your machine only the first time you run this tool.

You can run the script in multiple scenarios as follows:

EXAMPLE -1-

This example will enable Just in Time VM Access for a particular Azure VM from any source IP. The management port will be set as specified including the number of hours.
If Just in Time VM Access is not enabled, the tool will enable the policy for the VM, you need to provide the maximum requested time in hours.

EXAMPLE -2-

This example will enable Just in Time VM Access for a particular Azure VM including the management port, source IP, and number of hours.
If Just in Time VM Access is not enabled, the tool will enable the policy for the VM, you need to provide the maximum requested time in hours.

EXAMPLE -3-

This example will enable Just in Time VM Access for a particular Azure VM including the management port, and source IP address.
If Just in Time VM Access is not enabled, the tool will enable the policy for the VM, you need to provide the maximum requested time in hours.
If Just in Time VM Access is already enabled, the tool will automatically extract the maximum requested time set by the policy, and then request VM access.

EXAMPLE -4-

This example will enable Just in Time VM Access for a particular Azure VM from any source IP. The management port will be set as specified.
If Just in Time VM Access is not enabled, the tool will enable the policy for the VM, you need to provide the maximum requested time in hours.
If Just in Time VM Access is already enabled, the tool will automatically extract the maximum requested time set by the policy, and then request VM access.

Where can I download this tool

This tool is available on my GitHub repository. You can download the documentation and the script from here.

Summary

Just-in-time VM access is a very good feature since Azure network administrators don’t need to go and change the Network Security Group (NSG) settings each and every time, and with this tool it becomes even faster to automate this process. Please note that Just-in-time VM access will incur additional charges to your Azure subscription as it is part of the Azure Security Center Standard Pricing Tier. For more information on the Azure Security Center pricing Tier’s, please check the following URL.

Roadmap

I am planning to improve this tool in the future. This is still version 1.0. If you have any feedback or changes that everyone should receive, please feel free to update the source code and create a pull request.

Until then… Stay secure with Just in Time VM Access!

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Advertisements
About Charbel Nemnom 399 Articles
Charbel Nemnom is a Cloud Solutions Architect and Microsoft Most Valuable Professional (MVP), totally fan of the latest's IT platform solutions, accomplished hands-on technical professional with over 17 years of broad IT Infrastructure experience serving on and guiding technical teams to optimize performance of mission-critical enterprise systems. Excellent communicator adept at identifying business needs and bridging the gap between functional groups and technology to foster targeted and innovative IT project development. Well respected by peers through demonstrating passion for technology and performance improvement. Extensive practical knowledge of complex systems builds, network design and virtualization.

Be the first to comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.