How to enable JIT (Just in Time) VM Access in Microsoft Azure
If you have Virtual Machines running on the Internet with Public IPs, you should know they are exposed to attacks from evil-doers. If you have a Windows VM with RDP enabled running in Azure, there is a great feature called JIT access or Just In Time Access. JIT access to a VM allows administrators to temporarily open up access to configured ports (3389 for RDP as an example) for a select number of hours and locked to a source machine to accomplish any tasks necessary. This really reduces the exposure to attacks from the greater internet during the time the port is open.
Even though this feature exists, we don’t always see it in place at clients so Chris Hahn suggested that I write up this quick note to demonstrate how easily it can be configured.
JIT Access is configured in the Azure Security Center under Just in time VM access.
If this is the first time you are configuring JIT access, you can click on the Recommended tab and then select the Virtual Machine and click the Enable JIT button. The wizard will suggest some ports based on the machine to be protected and then all of the networking magic will be handled behind the scenes using the NSG (Network Security Group) and your Virtual Machine will move over to the Configured tab to request access.
It honestly couldn’t be easier and with the Wizard above, you can define the Time Range to anything. 3 hours is the default suggestion.
If you are running your machines in Azure, this is definitely something we recommend enabling. It is super easy and for the level of effort, it provides a ton of protection.
Happy Cloud Computing!