A new security feature has been made available in preview on Azure: Just In Time Access for virtual  machine.

While access and behavior of resources hosted on Azure are monitored by Microsoft to avoid malicious activities, there is still risks to get your resources, and in this case your virtual machines, being vulnerable.

The Just In Time VM Access functionality will help you to better protect your virtual machine hosted on Azure by locking down remote access.

Activating Just In Time Access

To take advantage of the Just In Time Access for your virtual machines, logon to your Azure portal (https://portal.azure.com/) and access the Security Center

image

Then in the General section click on Enable Just In Time VM Access

image

And finally Try Just In Time VM Access and select the subscription to use for the preview/evaluation and upgrade to the Standard tier

imageimageimage

Once upgraded, the Just In Time VM Access section on the Security Center will show all virtual machine protected by JIT Access.

As you just enabled it, there will be no virtual machine protected yet

To protect virtual machine, just open the JIT blade to get the complete list of protected virtual machine and virtual machine which would need protection

image

Select the virtual machine(s) you want to enable for JIT Access

image

When activating the JIT Access, you have to define to which port the functionality will apply; in case of you are using other ports to manage the VM and to not ‘block’ legitimate access (like when hosting a web server); there is already a list of predefined known management ports

image

When defining the management port (or editing the default ones) you can define from where and for how long the JIT Access will be granted – default is set to 3 hours from anywhere

image

Once activated, the JIT Access blade will be refreshed showing the protected VM’s, with details regarding the number of requests including last user logged

imageimage

NOTE you will also get the JIT access activation recommendation when you go to the virtual machine Advisor Recommendations

image

 

Accessing the virtual machine with JIT enabled

After activating JIT Access on a virtual machine, you will not be able to logon anymore using the defined management port without requesting access first

image

To request access you need to go the Security Center\Just In Time VM Access and select the virtual machine you want to access and request access

image

Then you need to tell which management port you are going to use and for how long – NOTE you can request only for the maximum amount of time define in the policy

To select the communication port just toggle the on/off button on the right side and click Open port

image

Then the Azure Security Center will automatically allow/deny your request

image

 

Edit / remove JIT policy

To edit or remove JIT VM Access policy, just open the contextual menu for the virtual machine you want to edit

imageimage