Updated: Automate Just In Time VM Access Request With PowerShell #AzureRM #Security #PowerShell

Introduction

On September 27, 2018 a new alert from the Federal Bureau of Investigation (FBI) and the Department of Homeland Security (DHS) announced that “Cyber Actors Increasingly Exploit The Remote Desktop Protocol to Conduct Malicious Activity“. You can read about this public announcement here.

As I mentioned in my previous article, the most frequent attack that we see today is attack on RDP management port (the brute force attack), and Microsoft provides you with capability that you don’t need to have these ports open even for legitimate administrative purposes.

I am also honored and pleased that my contribution to the community is getting noticed by Mr. Yuri Diogenes (Senior Program Manager at Microsoft Cybersecurity Engineering team). Thank You Yuri!

This shows how Microsoft Azure Security Center will help you to mitigate the risks of enabling RDP protocol over the Internet.

I have developed an automated tool for Just in Time VM access to Azure Virtual Machines. So instead of going every time to the Azure Portal to enable and request VM access, you can use this tool to automate the entire process.

However, when I developed this tool, I used a PowerShell module that was never officially released and supported by Microsoft, but I was able to complete my work during that time. The bad news is, Microsoft closed that project and removed the old PowerShell module which was called (Azure-Security-Center), and my tool now is broken. However, Microsoft released a new project and introduced a new PowerShell module for Azure Security Center called (AzureRM.Security) which gives you control over the security of your Azure subscriptions and other machines that you connected to it outside of Azure.

The good news is that after spending an extended amount of time, I was able to update my tool and have it compatible with the latest AzureRM.Security module which is as of this writing is still in preview.

In this blog post, I will share with you the updated version of my tool that works with the latest Azure RM Security module and bring back the automation of Just in Time VM access.

Automate Just In Time VM Access

I was updating recently my PowerShell tool to will help me automate Just in Time VM access to my Azure IaaS Virtual Machines. So instead of going every time to the Azure Portal to enable and request access, I developed that tool to automate the entire process. Additionally, I want also my users/developers to enable and request VM access without keep contacting me, I have other things to do 🙂

The script is divided into two phases as follows:

  1. First, you need to create a Role Based Access Control (RBAC) with least privilege, so you can add any user to that role, and then he/she can request VM access. You need to run .\Create-JitRBACRole.ps1 script only one time.
  2. The second part of the script is the main tool which will connect to Azure Security Center endpoint, and then will open the requested management port for the duration you specify. If Just in Time VM access is not enabled for that VM, the script will enable it for you, and finally request VM access. Additionally, the script will automatically install the Azure Resource Manager and Azure RM Security modules if they are not installed on your machine only the first time you run this tool.

So let’s see now how it works…

First, I want to thanks my fellow Azure MVP, Fabien Dibot for sharing his work on how to create an Azure JIT user RBAC role.

I have updated that script to create a role definition with least privilege (just enough permissions), so the users will be able to enable and request access without having to wait for support calls to enable access. When a user requests access to a VM, Azure Security Center checks that the user has Role-Based Access Control (RBAC) permissions that provide write access for the VM. If they have write permissions, the request is approved.

Open an elevated PowerShell console and run .\Create-JitRBACRole.ps1 script, you will be prompted to login to your Azure account. This script will create an Azure JIT Role Based Access Control (RBAC) with least privilege and assign that role to all Azure Subscriptions (if you have more than one subscription).

Next, you need to login to the Azure Portal and select your Subscription(s), under Access control (IAM), click +Add and then browse to the role that we just created. In this example, the role named is “Just in Time VM access User“, and lastly Add the desired user(s) or group(s) to that role.

Now, you are ready to start automating Just in Time VM access. You can run this tool in multiple scenarios as follows:

EXAMPLE -1-

This example will enable Just in Time VM Access for a particular Azure VM from your current public IP address. The management port will be set as specified including the number of hours. You will be prompted to login to your Azure account. If Just in Time VM Access is not enabled, the tool will enable the policy for the VM, you need to provide the maximum requested time in hours. If the specified management port is not set by the policy previously, the script will enable that port, and then request VM access. If the time specified is greater than the time set by the policy, the script will force you to enter the valid time, and then request VM access.

EXAMPLE -2-

This example will enable Just in Time VM Access for a particular Azure VM including the management port, source IP, and number of hours. You will be prompted to login to your Azure account. If Just in Time VM Access is not enabled, the tool will enable the policy for the VM, you need to provide the maximum requested time in hours. If the specified management port is not set by the policy previously, the script will enable that port, and then request VM access. If the time specified is greater than the time set by the policy, the script will force you to enter the valid time, and then request VM access.

EXAMPLE -3-

This example will enable Just in Time VM Access for a particular Azure VM including the management port,and source IP address. You will be prompted to login to your Azure account. If Just in Time VM Access is not enabled, the tool will enable the policy for the VM, you need to provide the maximum requested time in hours. If Just in Time VM Access is already enabled, the tool will automatically extract the maximum requested time set by the policy, and then request VM access. If the specified management port is not set by the policy previously, the script will enable that port, and then request VM access.

EXAMPLE -4-

This example will enable Just in Time VM Access for a particular Azure VM from your current public IP address. The management port will be set as specified. You will be prompted to login to your Azure account. If Just in Time VM Access is not enabled, the tool will enable the policy for the VM, you need to provide the maximum requested time in hours. If Just in Time VM Access is already enabled, the tool will automatically extract the maximum requested time set by the policy, and then request VM access. If the specified management port is not set by the policy previously, the script will enable that port, and then request VM access.

Where can I download this tool

This tool is available on my GitHub repository. You can download the documentation and the tool from here.

Congratulations, in this article, you learned how to automate just in time VM access in Security Center to help you control access to your Azure virtual machines.

Summary

Just-in-time VM access is a great feature because Azure Administrators don’t need to go and change the Network Security Group (NSG) settings each and every time, and with this tool it becomes even faster to automate this process. Please note that Just-in-time VM access will incur additional charges to your Azure subscription as it is part of the Azure Security Center Standard Pricing Tier. For more information on the Azure Security Center pricing Tier’s, please check the following URL.

Roadmap

I am planning to improve this tool in the future. This is version 2.0. If you have any feedback or changes that everyone should receive, please feel free to update the source code and create a pull request.

Until then… Stay secure with Azure Security Center and Just in Time VM access!

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Advertisements
About Charbel Nemnom 399 Articles
Charbel Nemnom is a Cloud Solutions Architect and Microsoft Most Valuable Professional (MVP), totally fan of the latest's IT platform solutions, accomplished hands-on technical professional with over 17 years of broad IT Infrastructure experience serving on and guiding technical teams to optimize performance of mission-critical enterprise systems. Excellent communicator adept at identifying business needs and bridging the gap between functional groups and technology to foster targeted and innovative IT project development. Well respected by peers through demonstrating passion for technology and performance improvement. Extensive practical knowledge of complex systems builds, network design and virtualization.

Be the first to comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.