During Microsoft Ignite in November 2021, Azure Security Center and Azure Defender are now called Microsoft Defender for Cloud. They’ve also renamed Azure Defender plans to Microsoft Defender plans. For example, Azure Defender for Storage is now Microsoft Defender for Storage.
In this article, I will show you how to automate Just In Time VM access requests with PowerShell.
Table of Contents
Introduction
On September 27, 2018, a new alert from the Federal Bureau of Investigation (FBI) and the Department of Homeland Security (DHS) announced that “Cyber Actors Increasingly Exploit The Remote Desktop Protocol to Conduct Malicious Activity“. You can read about this public announcement here.
As I mentioned in my previous article, the most frequent attack that we see today is an attack on RDP/SSH management port (the brute force attack), and Microsoft provides you with the capability that you don’t need to have these ports open even for legitimate administrative purposes.
I am also honored and pleased that my contribution to the community is getting noticed by Mr. Yuri Diogenes (Senior Program Manager at Microsoft Cybersecurity Engineering team). Thank You, Yuri!
This shows how Microsoft Azure Security Center will help you to mitigate the risks of enabling RDP protocol over the Internet.
I have developed an automated tool for Just in Time VM access to Azure Virtual Machines. So instead of going every time to the Azure Portal to enable and request VM access, you can use this tool to automate the entire process.
However, when I developed this tool, I used a PowerShell module that was never officially released and supported by Microsoft, but I was able to complete my work during that time. The bad news is, Microsoft closed that project and removed the old PowerShell module which was called (Azure-Security-Center), and my tool now is broken. However, Microsoft released a new project and introduced a new PowerShell module for Azure Security Center called (AzureRM.Security) which gives you control over the security of your Azure subscriptions and other machines that you connected to it outside of Azure.
The good news is that after spending an extended amount of time, I was able to update my tool and have it compatible with the latest AzureRM.Security module which is as of this writing is still in preview.
In this blog post, I will share with you the updated version of my tool that works with the latest Azure RM Security module and bring back the automation of Just in Time VM access.
Automate Just In Time VM Access
I was updating my PowerShell tool to help me automate Just in Time VM access to my Azure IaaS Virtual Machines. So instead of going every time to the Azure Portal to enable and request access, I developed that tool to automate the entire process. Additionally, I want also my users/developers to enable and request VM access without keep contacting me, I have other things to do :)
The script is divided into two phases as follows:
1) First, you need to create a Role-Based Access Control (RBAC) with the least privilege, so you can add any user to that role, and then he/she can request VM access. You need to run the .\Create-JitRBACRole.ps1 script only one time.
2) The second part of the script is the main tool which will connect to the Azure Security Center endpoint and then will open the requested management port for the duration you specify. If Just in Time VM Access is not enabled for that VM, the script will enable it for you, and finally request VM access. Additionally, the script will automatically install the Azure Resource Manager and Azure RM Security modules if they are not installed on your machine only the first time you run this tool.
So let’s see now how it works…
First, I want to thank my fellow Azure MVP, Fabien Dibot, to share his work on creating an Azure JIT user RBAC role.
I have updated that script to create a role definition with the least privilege (just enough permissions), so the users will be able to enable and request access without having to wait for support calls to enable access. When a user requests access to a VM, Azure Security Center checks that the user has Role-Based Access Control (RBAC) permissions that provide write access for the VM. If they have the right permissions, the request is approved.
Open an elevated PowerShell console and run the .\Create-JitRBACRole.ps1 script, you will be prompted to log in to your Azure account. This script will create an Azure JIT Role-Based Access Control (RBAC) with the least privilege and assign that role to all Azure Subscriptions (if you have more than one subscription).
Next, you need to login to the Azure Portal and select your Subscription(s), under Access control (IAM), click +Add and then browse to the role that we just created. In this example, the role named is “Just in Time VM access User“, and lastly Add the desired user(s) or group(s) to that role.
Now, you are ready to start automating Just in Time VM access. You can run this tool in multiple scenarios as follows:
EXAMPLE -1-
.\Request-JITVMAccess.ps1 -VMName [VMName] -Port [PortNumber] -Time [Hours] -VerboseThis example will enable Just in Time VM Access for a particular Azure VM from your current public IP address. The management port will be set as specified including the number of hours. You will be prompted to log in to your Azure account. If Just in Time VM Access is not enabled, the tool will enable the policy for the VM, you need to provide the maximum requested time in hours. If the specified management port is not set by the policy previously, the script will enable that port and request VM access. If the time specified is greater than the time set by the policy, the script will force you to enter the valid time, and then request VM access.
EXAMPLE -2-
.\Request-JITVMAccess.ps1 -VMName [VMName] -Port [PortNumber] -AddressPrefix [AllowedSourceIP] -Time [Hours] -VerboseThis example will enable Just in Time VM Access for a particular Azure VM including the management port, source IP, and the number of hours. You will be prompted to log in to your Azure account. If Just in Time VM Access is not enabled, the tool will enable the policy for the VM, you need to provide the maximum requested time in hours. If the specified management port is not set by the policy previously, the script will enable that port and request VM access. If the time specified is greater than the time set by the policy, the script will force you to enter the valid time, and then request VM access.
EXAMPLE -3-
.\Request-JITVMAccess.ps1 -VMName [VMName] -Port [PortNumber] -AddressPrefix [AllowedSourceIP] -VerboseThis example will enable Just in Time VM Access for a particular Azure VM including the management port, and source IP address. You will be prompted to log in to your Azure account. If Just in Time VM Access is not enabled, the tool will enable the policy for the VM, you need to provide the maximum requested time in hours. If Just in Time VM Access is already enabled, the tool will automatically extract the maximum requested time set by the policy and then request VM access. If the specified management port is not set by the policy previously, the script will enable that port and request VM access.
EXAMPLE -4-
.\Request-JITVMAccess.ps1 -VMName [VMName] -Port [PortNumber] -VerboseThis example will enable Just in Time VM Access for a particular Azure VM from your current public IP address. The management port will be set as specified. You will be prompted to log in to your Azure account. If Just in Time VM Access is not enabled, the tool will enable the policy for the VM, you need to provide the maximum requested time in hours. If Just in Time VM Access is already enabled, the tool will automatically extract the maximum requested time set by the policy and then request VM access. If the specified management port is not set by the policy previously, the script will enable that port and request VM access.
Where can I download this tool?
This tool is available in my GitHub repository. You can download the documentation and the tool from here.
Congratulations, in this article, you learned how to automate just-in-time VM access in Security Center to help you control access to your Azure virtual machines.
Summary
Just-in-time VM access is a great feature because Azure Administrators don’t need to go and change the Network Security Group (NSG) settings every time, and with this tool, it becomes even faster to automate this process. Please note that Just-in-time VM access will incur additional charges to your Azure subscription as it is part of the Azure Security Center Standard Pricing Tier. For more information on the Azure Security Center pricing Tier, please check the following URL.
Roadmap
I am planning to improve this tool in the future. This is version 2.0. If you have any feedback or changes that everyone should receive, please feel free to update the source code and create a pull request.
Until then… Stay secure with Azure Security Center and Just in Time VM access!
__
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.
-Charbel Nemnom-
