Task: Configure Just-In-Time Access for a Virtual Machine

Video: Configure VM Security

Estimated time: 25 minutes

Goal

In this task you will provision a virtual machine and protect it with just-in-time (JIT) access through security center. You will upgrade security center to standard tier to enable JIT virtual machine access. You will also verify that JIT virtual machine access is performing as expected.

Pre-requisites

Non-production Azure subscription

Requirements

Provision a virtual machine
Configure just-in-time access for the virtual machine
Verify just-in-time access

Pre-requisite setup

This task does not require any pre-requisite setup.

Requirement 1: Provision a virtual machine

To begin this task, you will provision a network security group, a virtual network, a Windows virtual machine, and a Linux virtual machine. Provision the resources with the following settings:

Network security group: |Setting|Value| |---|---| |Resource group|task-vmsec-rg| |Location|East US| |Name|vmsec-nsg| |Inbound rule 1|| |Name|RDP| |Protocol|TCP| |Port|3389| |Priority|500| |Action|Allow| |Inbound rule 2|| |Name|SSH| |Protocol|TCP| |Port|22| |Priority|600| |Action|Allow|
Provision the virtual network with the following settings. Accept default values for all other settings: |Setting|Value| |---|---| |Resource group|task-vmsec-rg| |Location|East US| |Name|vmsec-vnet|
Assign the vmsec-nsg to the default subnet of the vmsec-vnet virtual network.
Provision a Windows virtual machine with the following settings:

Setting	Value
Resource group	task-vmsec-rg
Location	East US
Name	vmsec-win-vm
Image	Windows Server 2016 Datacenter
Size	Standard_D2S_V3
Username	student
Password	<a strong password>
OS disk	Standard SSD
Virtual network	vmsec-vnet
Subnet	default
Public IP	<accept default>
NIC NSG	None

Provision an Ubuntu server with the following settings:

Setting	Value
Resource group	task-vmsec-rg
Location	East US
Name	vmsec-ubu-vm
Image	Ubuntu Server 18.04 LTS
Size	Standard_D2S_V3
Authentication type	Password
Username	student
Password	<a strong password>
OS disk	Standard SSD
Virtual network	vmsec-vnet
Subnet	default
Public IP	<accept default>
NIC NSG	None

Requirement 2: Configure just-in-time access for the virtual machine

Next you will implement JIT access for the virtual machines. To complete this requirement:

Provision a log analytics workspace with the following settings: |Setting|Value| |---|---| |Resource group|task-vmsec-rg| |Location|East US| |Name|vmsec-la|
Once the log analytics workspace is provisioned, navigate to the workspace and connect vmsec-win-vm and vmsec-ubu-vm to the workspace. If they are already connected to a different workspace (depending on your subscription settings) disconnect them first.
Navigate to the security center blade in the Azure portal and upgrade the security center tier for your subscription to standard. You can adjust the plan under the Coverage view of the blade.
In security center, set up JIT access for the vmsec-win-vm and vmsec-ubu-vm virtual machines. You may need to wait a few minutes for the machines to show up under Not Configured in the JIT windows of the Security Center blade.

Requirement 3: Verify just-in-time access

To complete this task, you will request access to both virtual machines. You will observe the changes to the NSG and check the JIT audit trail. To complete this requirement:

Navigate to the vmsec-nsg blade in the Azure portal and observe the inbound rules.
Navigate to the vmsec-win-vm blade and request JIT access for your IP address.
If you have an RDP client connect to the vmsec-win-vm virtual machine.
Navigate to the vmsec-ubu-vm blade and request JIT access for your IP address.
Establish an ssh session with vmsec-ubu-vm. If you do not have an ssh client, you can use an Azure cloud shell.
Navigate to the vmsec-nsg blade in the Azure portal and observe the inbound rules.
Navigate to Security Center and view the JIT access audit trail.

Clean up

Delete the task-vmsec-rg resource group.

Solution

Having trouble completing this task? View the demonstration video to see how to do it.