/
just-in-time-access-usage.yml
321 lines (220 loc) · 17.7 KB
/
just-in-time-access-usage.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
### YamlMime:HowTo
---
metadata:
title: Enable just-in-time access on VMs
description: Learn how just-in-time VM access (JIT) in Microsoft Defender for Cloud helps you control access to your Azure virtual machines.
author: dcurwin
ms.author: dacurwin
ms.date: 10/01/2023
ms.topic: how-to
ms.custom:
- ge-structured-content-pilot
title: |
Enable just-in-time access on VMs
introduction: |
You can use Microsoft Defender for Cloud's just-in-time (JIT) access to protect your Azure virtual machines (VMs) from unauthorized network access. Many times firewalls contain allow rules that leave your VMs vulnerable to attack. JIT lets you allow access to your VMs only when the access is needed, on the ports needed, and for the period of time needed.
Learn more about [how JIT works](just-in-time-access-overview.md) and the [permissions required to configure and use JIT](#prerequisites).
In this article, you learn how to include JIT in your security program, including how to:
- Enable JIT on your VMs from the Azure portal or programmatically
- Request access to a VM that has JIT enabled from the Azure portal or programmatically
- [Audit the JIT activity](#audit-jit-access-activity-in-defender-for-cloud) to make sure your VMs are secured appropriately
## Availability
| Aspect | Details |
|--|:-|
| Release state: | General availability (GA) |
| Supported VMs: | :::image type="icon" source="./media/icons/yes-icon.png"::: VMs deployed through Azure Resource Manager<br>:::image type="icon" source="./media/icons/no-icon.png"::: VMs deployed with [classic deployment models](../azure-resource-manager/management/deployment-models.md)<br>:::image type="icon" source="./media/icons/yes-icon.png"::: VMs protected by Azure Firewalls on the same VNET as the VM<br>:::image type="icon" source="./media/icons/no-icon.png"::: VMs protected by Azure Firewalls controlled by [Azure Firewall Manager](../firewall-manager/overview.md)<br> :::image type="icon" source="./media/icons/yes-icon.png"::: AWS EC2 instances (Preview) |
| Required roles and permissions: | **Reader**, **SecurityReader**, or a [custom role](#prerequisites) can view the JIT status and parameters.<br>To create a least-privileged role for users that only need to request JIT access to a VM, use the [Set-JitLeastPrivilegedRole script](https://github.com/Azure/Microsoft-Defender-for-Cloud/tree/main/Powershell%20scripts/JIT%20Scripts/JIT%20Custom%20Role). |
| Clouds: | :::image type="icon" source="./media/icons/yes-icon.png"::: Commercial clouds<br>:::image type="icon" source="./media/icons/yes-icon.png"::: National (Azure Government, Microsoft Azure operated by 21Vianet)<br>:::image type="icon" source="./media/icons/yes-icon.png"::: Connected AWS accounts (preview) |
prerequisites:
summary: |
- JIT requires [Microsoft Defender for Servers Plan 2](plan-defender-for-servers-select-plan.md#plan-features) to be enabled on the subscription.
- **Reader** and **SecurityReader** roles can both view the JIT status and parameters.
- If you want to create custom roles that work with JIT, you need the details from the following table:
| To enable a user to: | Permissions to set|
| --- | --- |
|Configure or edit a JIT policy for a VM | *Assign these actions to the role:* <ul><li>On the scope of a subscription (or resource group when using API or PowerShell only) that is associated with the VM:<br/> `Microsoft.Security/locations/jitNetworkAccessPolicies/write` </li><li> On the scope of a subscription (or resource group when using API or PowerShell only) of VM: <br/>`Microsoft.Compute/virtualMachines/write`</li></ul> |
|Request JIT access to a VM | *Assign these actions to the user:* <ul><li> `Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action` </li><li> `Microsoft.Security/locations/jitNetworkAccessPolicies/*/read` </li><li> `Microsoft.Compute/virtualMachines/read` </li><li> `Microsoft.Network/networkInterfaces/*/read` </li> <li> `Microsoft.Network/publicIPAddresses/read` </li></ul> |
|Read JIT policies| *Assign these actions to the user:* <ul><li>`Microsoft.Security/locations/jitNetworkAccessPolicies/read`</li><li>`Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action`</li><li>`Microsoft.Security/policies/read`</li><li>`Microsoft.Security/pricings/read`</li><li>`Microsoft.Compute/virtualMachines/read`</li><li>`Microsoft.Network/*/read`</li>|
> [!NOTE]
> Only the `Microsoft.Security` permissions are relevant for AWS.
- To set up JIT on your Amazon Web Service (AWS) VM, you need to [connect your AWS account](quickstart-onboard-aws.md) to Microsoft Defender for Cloud.
> [!TIP]
> To create a least-privileged role for users that need to request JIT access to a VM, and perform no other JIT operations, use the [Set-JitLeastPrivilegedRole script](https://github.com/Azure/Azure-Security-Center/tree/main/Powershell%20scripts/JIT%20Scripts/JIT%20Custom%20Role) from the Defender for Cloud GitHub community pages.
> [!NOTE]
> In order to successfully create a custom JIT policy, the policy name, together with the targeted VM name, must not exceed a total of 56 characters.
procedureSection:
- title: |
Work with JIT VM access using Microsoft Defender for Cloud
summary: |
You can use Defender for Cloud or you can programmatically enable JIT VM access with your own custom options, or you can enable JIT with default, hard-coded parameters from Azure virtual machines.
**Just-in-time VM access** shows your VMs grouped into:
- **Configured** - VMs configured to support just-in-time VM access, and shows:
- the number of approved JIT requests in the last seven days
- the last access date and time
- the connection details configured
- the last user
- **Not configured** - VMs without JIT enabled, but that can support JIT. We recommend that you enable JIT for these VMs.
- **Unsupported** - VMs that don't support JIT because:
- Missing network security group (NSG) or Azure Firewall - JIT requires an NSG to be configured or a Firewall configuration (or both)
- Classic VM - JIT supports VMs that are deployed through Azure Resource Manager. [Learn more about classic vs Azure Resource Manager deployment models](../azure-resource-manager/management/deployment-models.md).
- Other - The JIT solution is disabled in the security policy of the subscription or the resource group.
### Enable JIT on your VMs from Microsoft Defender for Cloud
:::image type="content" source="./media/just-in-time-access-usage/configure-just-in-time-access.gif" alt-text="Screenshot showing configuring JIT VM access in Microsoft Defender for Cloud." lightbox="media/just-in-time-access-usage/configure-just-in-time-access.gif":::
From Defender for Cloud, you can enable and configure the JIT VM access.
1. Open the **Workload protections** and, in the advanced protections, select **Just-in-time VM access**.
1. In the **Not configured** virtual machines tab, mark the VMs to protect with JIT and select **Enable JIT on VMs**.
The JIT VM access page opens listing the ports that Defender for Cloud recommends protecting:
- 22 - SSH
- 3389 - RDP
- 5985 - WinRM
- 5986 - WinRM
To customize the JIT access:
1. Select **Add**.
1. Select one of the ports in the list to edit it or enter other ports. For each port, you can set the:
- **Protocol** - The protocol that is allowed on this port when a request is approved
- **Allowed source IPs** - The IP ranges that are allowed on this port when a request is approved
- **Maximum request time** - The maximum time window during which a specific port can be opened
1. Select **OK**.
1. To save the port configuration, select **Save**.
### Edit the JIT configuration on a JIT-enabled VM using Defender for Cloud
You can modify a VM's just-in-time configuration by adding and configuring a new port to protect for that VM, or by changing any other setting related to an already protected port.
To edit the existing JIT rules for a VM:
1. Open the **Workload protections** and, in the advanced protections, select **Just-in-time VM access**.
1. In the **Configured** virtual machines tab, right-click on a VM and select **Edit**.
1. In the **JIT VM access configuration**, you can either edit the list of port or select **Add** a new custom port.
1. When you finish editing the ports, select **Save**.
### Request access to a JIT-enabled VM from Microsoft Defender for Cloud
When a VM has a JIT enabled, you have to request access to connect to it. You can request access in any of the supported ways, regardless of how you enabled JIT.
steps:
- |
From the **Just-in-time VM access** page, select the **Configured** tab.
- |
Select the VMs you want to access:
- The icon in the **Connection Details** column indicates whether JIT is enabled on the network security group or firewall. If it's enabled on both, only the firewall icon appears.
- The **Connection Details** column shows the user and ports that can access the VM.
- |
Select **Request access**. The **Request access** window opens.
- |
Under **Request access**, select the ports that you want to open for each VM, the source IP addresses that you want the port opened on, and the time window to open the ports.
- |
Select **Open ports**.
> [!NOTE]
> If a user who is requesting access is behind a proxy, you can enter the IP address range of the proxy.
- title: |
Other ways to work with JIT VM access
summary: |
### Azure virtual machines
#### Enable JIT on your VMs from Azure virtual machines
You can enable JIT on a VM from the Azure virtual machines pages of the Azure portal.
> [!TIP]
> If a VM already has JIT enabled, the VM configuration page shows that JIT is enabled. You can use the link to open the JIT VM access page in Defender for Cloud to view and change the settings.
1. From the [Azure portal](https://portal.azure.com), search for and select **Virtual machines**.
1. Select the virtual machine you want to protect with JIT.
1. In the menu, select **Configuration**.
1. Under **Just-in-time access**, select **Enable just-in-time**.
By default, just-in-time access for the VM uses these settings:
- Windows machines
- RDP port: 3389
- Maximum allowed access: Three hours
- Allowed source IP addresses: Any
- Linux machines
- SSH port: 22
- Maximum allowed access: Three hours
- Allowed source IP addresses: Any
1. To edit any of these values or add more ports to your JIT configuration, use Microsoft Defender for Cloud's just-in-time page:
1. From Defender for Cloud's menu, select **Just-in-time VM access**.
1. From the **Configured** tab, right-click on the VM to which you want to add a port, and select **Edit**.
![Editing a JIT VM access configuration in Microsoft Defender for Cloud.](./media/just-in-time-access-usage/jit-policy-edit-security-center.png)
1. Under **JIT VM access configuration**, you can either edit the existing settings of an already protected port or add a new custom port.
1. When you've finished editing the ports, select **Save**.
#### Request access to a JIT-enabled VM from the Azure virtual machine's connect page
When a VM has a JIT enabled, you have to request access to connect to it. You can request access in any of the supported ways, regardless of how you enabled JIT.
![Screenshot showing jit just-in-time request.](./media/just-in-time-access-usage/jit-request-vm.png)
To request access from Azure virtual machines:
1. In the Azure portal, open the virtual machines pages.
1. Select the VM to which you want to connect, and open the **Connect** page.
Azure checks to see if JIT is enabled on that VM.
- If JIT isn't enabled for the VM, you're prompted to enable it.
- If JIT is enabled, select **Request access** to pass an access request with the requesting IP, time range, and ports that were configured for that VM.
> [!NOTE]
> After a request is approved for a VM protected by Azure Firewall, Defender for Cloud provides the user with the proper connection details (the port mapping from the DNAT table) to use to connect to the VM.
### PowerShell
#### Enable JIT on your VMs using PowerShell
To enable just-in-time VM access from PowerShell, use the official Microsoft Defender for Cloud PowerShell cmdlet `Set-AzJitNetworkAccessPolicy`.
**Example** - Enable just-in-time VM access on a specific VM with the following rules:
- Close ports 22 and 3389
- Set a maximum time window of 3 hours for each so they can be opened per approved request
- Allow the user who is requesting access to control the source IP addresses
- Allow the user who is requesting access to establish a successful session upon an approved just-in-time access request
The following PowerShell commands create this JIT configuration:
1. Assign a variable that holds the just-in-time VM access rules for a VM:
```azurepowershell
$JitPolicy = (@{
id="/subscriptions/SUBSCRIPTIONID/resourceGroups/RESOURCEGROUP/providers/Microsoft.Compute/virtualMachines/VMNAME";
ports=(@{
number=22;
protocol="*";
allowedSourceAddressPrefix=@("*");
maxRequestAccessDuration="PT3H"},
@{
number=3389;
protocol="*";
allowedSourceAddressPrefix=@("*");
maxRequestAccessDuration="PT3H"})})
```
1. Insert the VM just-in-time VM access rules into an array:
```azurepowershell
$JitPolicyArr=@($JitPolicy)
```
1. Configure the just-in-time VM access rules on the selected VM:
```azurepowershell
Set-AzJitNetworkAccessPolicy -Kind "Basic" -Location "LOCATION" -Name "default" -ResourceGroupName "RESOURCEGROUP" -VirtualMachine $JitPolicyArr
```
Use the -Name parameter to specify a VM. For example, to establish the JIT configuration for two different VMs, VM1 and VM2, use: ```Set-AzJitNetworkAccessPolicy -Name VM1``` and ```Set-AzJitNetworkAccessPolicy -Name VM2```.
#### Request access to a JIT-enabled VM using PowerShell
In the following example, you can see a just-in-time VM access request to a specific VM for port 22, for a specific IP address, and for a specific amount of time:
Run the following commands in PowerShell:
1. Configure the VM request access properties:
```azurepowershell
$JitPolicyVm1 = (@{
id="/subscriptions/SUBSCRIPTIONID/resourceGroups/RESOURCEGROUP/providers/Microsoft.Compute/virtualMachines/VMNAME";
ports=(@{
number=22;
endTimeUtc="2020-07-15T17:00:00.3658798Z";
allowedSourceAddressPrefix=@("IPV4ADDRESS")})})
```
1. Insert the VM access request parameters in an array:
```azurepowershell
$JitPolicyArr=@($JitPolicyVm1)
```
1. Send the request access (use the resource ID from step 1)
```azurepowershell
Start-AzJitNetworkAccessPolicy -ResourceId "/subscriptions/SUBSCRIPTIONID/resourceGroups/RESOURCEGROUP/providers/Microsoft.Security/locations/LOCATION/jitNetworkAccessPolicies/default" -VirtualMachine $JitPolicyArr
```
Learn more in the [PowerShell cmdlet documentation](/powershell/scripting/developer/cmdlet/cmdlet-overview).
### REST API
#### Enable JIT on your VMs using the REST API
The just-in-time VM access feature can be used via the Microsoft Defender for Cloud API. Use this API to get information about configured VMs, add new ones, request access to a VM, and more.
Learn more at [JIT network access policies](/rest/api/defenderforcloud/jit-network-access-policies).
#### Request access to a JIT-enabled VM using the REST API
The just-in-time VM access feature can be used via the Microsoft Defender for Cloud API. Use this API to get information about configured VMs, add new ones, request access to a VM, and more.
Learn more at [JIT network access policies](/rest/api/defenderforcloud/jit-network-access-policies).
## Audit JIT access activity in Defender for Cloud
You can gain insights into VM activities using log search. To view the logs:
steps:
- |
From **Just-in-time VM access**, select the **Configured** tab.
- |
For the VM that you want to audit, open the ellipsis menu at the end of the row.
- |
Select **Activity Log** from the menu.
![Select just-in-time JIT activity log.](./media/just-in-time-access-usage/jit-select-activity-log.png)
The activity log provides a filtered view of previous operations for that VM along with time, date, and subscription.
- |
To download the log information, select **Download as CSV**.
nextStep:
text: Understand just-in-time VM access management
url: just-in-time-access-overview.md
#In this article, you learned how to configure and use just-in-time VM access. To learn why you should use JIT, read the article that explains the threats JIT defends against:
#> [!div class="nextstepaction"]
#> [JIT explained](just-in-time-access-overview.md)