Just-In-Time VM Access with PowerShell - Marcin Gastol
15712
post-template-default,single,single-post,postid-15712,single-format-standard,bridge-core-3.0.7,bridge,qode-page-transition-enabled,ajax_fade,page_not_loaded,,qode-title-hidden,qode-child-theme-ver-1.0.0,qode-theme-ver-29.4,qode-theme-bridge,qode_header_in_grid,wpb-js-composer js-comp-ver-6.10.0,vc_responsive

14 Feb Just-In-Time VM Access with PowerShell

Posted at 20:55h in Azure by
0 Likes

Intro

Securing access to your virtual machines (VMs) is critical to maintaining a robust security posture. Just-In-Time (JIT) VM access is a feature provided by Azure Security Center that helps you reduce exposure to attacks by enabling you to lock down your VMs to only allow access when needed. This blog post will guide you through implementing JIT VM access using PowerShell, thereby enhancing the security of your Azure Virtual Machines.

Just-In-Time VM Access

Just-In-Time VM access is a security feature that reduces the attack surface of your VMs by allowing you to control the time window and IP ranges from which your VMs can be accessed. When JIT is enabled, you can request access to a VM for a specified period, and Azure Security Center will automatically configure the necessary Network Security Group (NSG) rules to allow access during that time window.

JIT VM access provides several benefits:

  • Minimized Attack Surface: By restricting access to a limited time window and specific IP addresses, you reduce the exposure of your VMs to potential attacks.
  • Controlled Access: Access is granted only when needed, ensuring that only authorized users can connect to your VMs.
  • Auditing and Monitoring: JIT access requests are logged and can be monitored, providing visibility into who accessed the VMs and when.

Implementing

Using PowerShell to manage JIT VM access provides a powerful and flexible way to automate the process. Below are the steps to enable, request, and configure JIT VM access using PowerShell.

Step 1: Connect to Azure

Before implementing JIT VM access, you need to connect to your Azure account using PowerShell.

PowerShell
# Connect to Azure
Connect-AzAccount

Step 2: Enable Just-In-Time VM Access

To enable JIT VM access, you need to configure the JIT policy for your VMs using Azure Security Center.

PowerShell
# Define parameters
$resourceGroupName = 'GarsonResourceGroup'
$vmName = 'GarsonVM'

# Get the VM ID
$vm = Get-AzVM -ResourceGroupName $resourceGroupName -Name $vmName

# Define the JIT policy
$jitPolicy = @{
    id = "/subscriptions/$($vm.Id.SubscriptionId)/resourceGroups/$resourceGroupName/providers/Microsoft.Compute/virtualMachines/$vmName"
    ports = @(
        @{
            number = 22  # SSH port for Linux VMs
            duration = "PT1H"  # 1 hour duration
            allowedSourceAddressPrefix = @("203.0.113.0/24")  # Allowed IP range
        },
        @{
            number = 3389  # RDP port for Windows VMs
            duration = "PT1H"  # 1 hour duration
            allowedSourceAddressPrefix = @("203.0.113.0/24")  # Allowed IP range
        }
    )
}

# Enable JIT VM access
Set-AzJitNetworkAccessPolicy -Location 'West Europe' -ResourceGroupName $resourceGroupName -Name $vmName -JitPolicy $jitPolicy

Step 3: Request Access to a VM

Once JIT is enabled, you can request access to a VM when needed. This will automatically configure the necessary NSG rules to allow access for the specified time window.

PowerShell
# Request access to the VM
$startTime = (Get-Date).ToUniversalTime()
$endTime = $startTime.AddHours(1)
$requestParameters = @{
    virtualMachineId = $vm.Id
    ports = @(
        @{
            number = 22  # SSH port for Linux VMs
            allowedSourceAddressPrefix = "203.0.113.0/24"  # Allowed IP range
            endTime = $endTime
        },
        @{
            number = 3389  # RDP port for Windows VMs
            allowedSourceAddressPrefix = "203.0.113.0/24"  # Allowed IP range
            endTime = $endTime
        }
    )
}

# Make the request
Grant-AzJitAccess -Location 'West Europe' -RequestParameters $requestParameters

Step 4: Monitor JIT Access Requests

Azure Security Center logs JIT access requests, providing visibility into who accessed the VMs and when. You can use PowerShell to retrieve these logs.

PowerShell
# Get JIT access logs
$jitAccessLogs = Get-AzJitNetworkAccessPolicy -Location 'West Europe' -ResourceGroupName $resourceGroupName -Name $vmName
$jitAccessLogs.Logs | ForEach-Object {
    Write-Output "Access request for port: $($_.portNumber) - Start time: $($_.startTime) - End time: $($_.endTime) - Requested by: $($_.requester)"
}

Step 5: Automate the Process with a Script

To ensure continuous protection and streamlined access management, you can automate the process of enabling JIT VM access and requesting access using a PowerShell script.

PowerShell
# Connect to Azure
Connect-AzAccount

# Define parameters
$resourceGroupName = 'GarsonResourceGroup'
$vmName = 'GarsonVM'
$location = 'West Europe'

# Get the VM ID
$vm = Get-AzVM -ResourceGroupName $resourceGroupName -Name $vmName

# Define the JIT policy
$jitPolicy = @{
    id = "/subscriptions/$($vm.Id.SubscriptionId)/resourceGroups/$resourceGroupName/providers/Microsoft.Compute/virtualMachines/$vmName"
    ports = @(
        @{
            number = 22  # SSH port for Linux VMs
            duration = "PT1H"  # 1 hour duration
            allowedSourceAddressPrefix = @("203.0.113.0/24")  # Allowed IP range
        },
        @{
            number = 3389  # RDP port for Windows VMs
            duration = "PT1H"  # 1 hour duration
            allowedSourceAddressPrefix = @("203.0.113.0/24")  # Allowed IP range
        }
    )
}

# Enable JIT VM access
Set-AzJitNetworkAccessPolicy -Location $location -ResourceGroupName $resourceGroupName -Name $vmName -JitPolicy $jitPolicy

# Request access to the VM
$startTime = (Get-Date).ToUniversalTime()
$endTime = $startTime.AddHours(1)
$requestParameters = @{
    virtualMachineId = $vm.Id
    ports = @(
        @{
            number = 22  # SSH port for Linux VMs
            allowedSourceAddressPrefix = "203.0.113.0/24"  # Allowed IP range
            endTime = $endTime
        },
        @{
            number = 3389  # RDP port for Windows VMs
            allowedSourceAddressPrefix = "203.0.113.0/24"  # Allowed IP range
            endTime = $endTime
        }
    )
}

# Make the request
Grant-AzJitAccess -Location $location -RequestParameters $requestParameters

# Monitor JIT access logs
$jitAccessLogs = Get-AzJitNetworkAccessPolicy -Location $location -ResourceGroupName $resourceGroupName -Name $vmName
$jitAccessLogs.Logs | ForEach-Object {
    Write-Output "Access request for port: $($_.portNumber) - Start time: $($_.startTime) - End time: $($_.endTime) - Requested by: $($_.requester)"
}

This script configures a conditional access policy to require multi-factor authentication (MFA) for all users and enables identity protection policies. Automating these configurations ensures that access to Azure resources is secure and aligned with best practices.

If you wish to start you journey from beggining check out how to start with Powershell in Azure:

Azure 101. Exploring the Azure Portal and Key Services

Tags:
No Comments

Post A Comment

Verified by MonsterInsights