Logo of Trend Micro

Enable JIT Network Access Monitoring

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (should be achieved)
Rule ID: SecurityCenter-012

Ensure that "Monitor JIT Network Access" feature is enabled within your Microsoft Azure cloud account settings so that Azure Security Center can assess if Just-In-Time network access is enabled for your eligible VMs. Just-In-Time (JIT) network access can be used to lock down inbound traffic to your Azure VMs, reducing exposure to different types of attacks while providing easy access to your virtual machines when needed.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

JIT network access can lock down inbound traffic to your Azure VMs by creating a Network Security Group (NSG) where you select the ports to which inbound traffic will be restricted. This method can be extremely useful for reducing exposure to external attacks. With JIT network access monitoring enabled, Azure Security Center can determine if Just-In-Time network access is enabled for your Azure virtual machines and make the proper recommendations.

Audit

To determine if JIT network access monitoring is enabled within Azure Security Center settings, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Security Center blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/.

03 In the navigation panel, choose Security policy to access Policy Management portal.

04 On the Policy Management page, click on the name of the subscription that you want to examine to access the selected subscription configuration settings.

05 On the Security Policy page, in the Network category, check the Just-In-Time network access control should be applied on virtual machines setting status. If the configuration setting is Disabled, the JIT network access monitoring feature is not enabled for the Microsoft Azure virtual machines (VMs) provisioned in the current subscription.

06 Repeat step no. 4 and 5 for each Microsoft Azure subscription available in your account.

Using Azure CLI and PowerShell

01 Run account get-access-token command (Windows/macOS/Linux) using custom query filters to describe the "Monitor JIT Network Access" feature status for the current Azure account subscription: 

az account get-access-token
	--query "{subscription:subscription,accessToken:accessToken}"
	--out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn?api-version=2018-05-01' | jq 'select(.name=="SecurityCenterBuiltIn")'|jq '.properties.parameters.jitNetworkAccessMonitoringEffect.value'

02 The command output should return the JIT network access monitoring configuration status: 

"Disabled"

If the command output returns "Disabled", as shown in the example above, the Just-In-Time network access monitoring is not enabled for the Microsoft Azure virtual machines available in the selected subscription.

03 Repeat step no. 1 and 2 for each Microsoft Azure subscription available in your account.

Remediation / Resolution

To enable Just-In-Time (JIT) network access monitoring for your Microsoft Azure virtual machines (VMs), perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Security Center blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/.

03 In the navigation panel, choose Security policy to access Policy Management portal.

04 On the Policy Management page, click on the name of the subscription that you want to examine to access the selected subscription configuration settings.

05 On the Security Policy page, click on the ASC Default (subscription: <azure-subscription-id>) policy assignment to edit the policy configuration.

06 On the selected policy assignment page, in the PARAMETERS section, select AuditIfNotExists from Monitor JIT network access dropdown list to enable Just-In-Time network access monitoring for all the Microsoft Azure virtual machines (VMs) available in the selected Azure subscription.

07 Click Save to apply the changes. If successful, the following message should be displayed: "Updating policy assignment succeeded". Once the configuration changes are saved, the JIT network access monitoring feature becomes active for the selected Azure subscription.

08 If required, repeat steps no. 4 – 7 for other Microsoft Azure cloud subscription available.

Using Azure CLI and PowerShell

01 Define the necessary parameters for the account get-access-token command, where the jitNetworkAccessMonitoringEffect configuration parameter is enabled. Save the following content to a JSON file named enable-jit-network-access-monitoring.json and replace the highlighted details, i.e. <azure-subscription-id> and <policy-definition-id>, with your own Azure account details: 

{
   "properties":{
      "displayName":"ASC Default (subscription: <azure-subscription-id>)",
      "policyDefinitionId":"/providers/Microsoft.Authorization/policySetDefinitions/<policy-definition-id>",
      "scope":"/subscriptions/<azure-subscription-id>",
      "parameters":{
         "jitNetworkAccessMonitoringEffect":{
            "value":"AuditIfNotExists"
         }
      }
   },
   "id":"/subscriptions/<azure-subscription-id>/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn",
   "type":"Microsoft.Authorization/policyAssignments",
   "name":"SecurityCenterBuiltIn",
   "location":"eastus"
}

02 Run account get-access-token command (Windows/macOS/Linux) using the parameters defined at the previous step (i.e. enable-jit-network-access-monitoring.json file) to enable Just-In-Time (JIT) network access monitoring for the VMs available within the selected Microsoft Azure cloud subscription: 

az account get-access-token
	--query "{subscription:subscription,accessToken:accessToken}"
	--out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn?api-version=2018-05-01 -d@"enable-jit-network-access-monitoring.json"'

03 If successful, the command output should return the updated Azure Security Center policy, e.g.: 

{
   "sku":{
      "name":"A0",
      "tier":"Free"
   },
   "properties":{
      "displayName":"ASC Default (subscription: abcdabcd-1234-1234-1234-abcdabcdabcd)",
      "scope":"/subscriptions/abcdabcd-1234-1234-1234-abcdabcdabcd",

      ...

      "description":"This is the default set of policies monitored by Azure Security Center. It was automatically assigned as part of on-boarding to Security Center. The default assignment contains only audit policies. For more information please visit https://aka.ms/ascpolicies",
   },
   "id":"/subscriptions/abcdabcd-1234-1234-1234-abcdabcdabcd/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn",
   "type":"Microsoft.Authorization/policyAssignments",
   "name":"SecurityCenterBuiltIn",
   "location":"eastus"
}

04 If required, repeat steps no. 1 – 3 for other Microsoft Azure cloud subscription available.

References

Publication date May 31, 2019

Related SecurityCenter rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Enable JIT Network Access Monitoring

Risk level: High