Protect your Azure VMs using JIT -- Step by step Guide

I - Introduction :

In a world where cybersecurity has become a major concern, protecting virtual machines (VMs) on the cloud is a topic of paramount importance. This article focuses on a specific security feature offered by Microsoft Defender for the Cloud: Azure Just-In-Time (JIT).

Azure JIT plays a crucial role in locking down incoming traffic to your VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed.

II - What is Azure JIT :

Azure JIT, or Just-In-Time Access is a security feature offered by Microsoft Defender for the Cloud. It protects your Azure virtual machines (VMs) from unauthorized access by blocking incoming traffic on specific ports. This means that VMs are only accessible when you need them, and access is granted for a limited time.

Azure JIT works by configuring Network Security Group (NSG) and Azure Firewall rules to block all incoming traffic on the ports you wish to protect. When you need access to a VM, you can request just-in-time access via the Azure portal or command line interface (CLI). Azure Defender for Cloud then checks your request and, if approved, creates a temporary rule that allows inbound traffic on the specified port for the duration you choose. Once the time has elapsed, the rule is automatically deleted and access to the VM is blocked again.

III - Benefits of Azure JIT :

Here are some of its benefits :

1. Reduced attack surface: With JIT, you can lock down incoming traffic to your VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed.
2. Traffic control: In Azure, you can block incoming traffic on specific ports by enabling JIT access. Defender for the Cloud ensures that "deny all inbound traffic" rules exist for your selected ports in the Network Security Group (NSG) and Azure Firewall rules.
3. Exception handling : When a user requests access to a VM, Defender for the Cloud checks that the user has Azure role-based access control (Azure RBAC) permissions for that VM. If the request is approved, Defender for the Cloud configures NSGs and Azure Firewall to allow inbound traffic to selected ports from the relevant IP address (or range), for the specified duration.
4. Audit JIT activity: You can audit JIT activity to ensure that your VMs are appropriately secured.

In short, Azure JIT is an invaluable tool for reinforcing the security of your virtual machines by limiting access to only those who need it.

IV - Prerequisites :

1. An Azure Subscription
2. JIT requires Microsoft Defender for Plan 2 servers to be activated on the subscription. You can sign up while logged into the Azure Portal via Azure Security Center.
3. Virtual Machine On azure to apply JIT.

V - JIT Pricing :

Azure Defender is free for the first 30 days and anything beyond the initial 30 days will be charged as per the pricing chart below. The chart below shows the per month pricing for the various services available that can utilize Azure Defender. Generally speaking, you can expect a cost of about $15.00 per month for your virtual machines the use Azure Defender and Just-In-Time service.

Here you can see in this printscreen JIT prices in US dollars

You can check azure JIT latest pricing from this link, because price is changing everyday ?? :

https://azure.microsoft.com/en-ca/pricing/details/defender-for-cloud/

VI - Enabling Microsoft Defender Plan 2 for Azure Servers :

The first task you'll need to accomplish is enabling Microsoft Defender Plan 2 for Azure Servers.

This can be done through the Azure Security Center in the Azure portal

• Select "Azure subscription 1"

• Select "On" on servers section to enable JIT for Azure VMs then clic on save.

As you can see here "Plan 2" is needed to be used with JIT VM protection.

you can activate JIT also for other services as required.

Next step is to enable JIT from the Azure VM configuration Panel.

VII - Enabling JIT for azure VM :

Open Azure Virtual machines from this link :

https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines

select your VM (I have Only one VM here)

Selection "Configuration" from setting left panel then select "Enable Just in Time"

After enabling JIT , select "Open Microsoft Defender for Cloud" you will be redirected to Just-in-time VM access window :

Select your VM then clic on "Request Access" :

• Select "On" on 3389 to enable RDP Connexion (1)
• Allowed Source IP : allowed connexion will be only for my IP address
• Time range : Connection to my VM wil be for 1 hour only, after that connection will be blocked (2).
• Add description for connection reason (3).
• Clic on "Open Ports" to enable VM access (4)

After Enabling connection to the VM, you will see highlighted details added to your VM :

• Connection approved for 1 user
• Connection is active now
• Port 3389
• Last user : its me ??

Now we will access to the VM using RDP file, to do this :

1. Go to "Connect" from the left Connect panel
2. Clic on "Download RDP file"

Double clic on downloaded RDP file and authenticate to your VM :

we're now securely connected to our VM ??????.

VIII - Auditing JIT Access Activity :

So you've set up JIT access to a bunch of VMs but is it being used? If so, how often? You need to audit the access policy activity. Auditing can be done via each VM's activity log.

When someone requests access to a management port and Azure creates an access policy, JIT logs this activity in the activity log. The activity log contains information such as when the request was made, who made the request, if it was successful, and so on.

To view the activity log, navigate to the JIT VM Access blade in the Azure Portal, click on the three ellipses on the far right of the selected virtual machine, and select Activity Log.

The activity log provides a filtered view of previous operations for this virtual machine, along with subscription, date and time.

To download log information, select Download in CSV format.

IX - Conclusion :

In conclusion, Azure Just-In-Time (JIT) is an essential security tool for any organization using virtual machines (VMs) in the cloud. By restricting access to VMs only as required, to the necessary ports and for the necessary duration, Azure JIT offers robust protection against unauthorized access.

Thanks

Aymen EL JAZIRI

System Administrator