Tag Archives: secure access

Step-by-Step Guide to setup Just-in-Time VM Access in Azure

In most common scenarios hackers targets open ports in servers to gain access. It can be web server port, RDP ports, SQL ports etc. If genuine users also use same ports to access the system it’s hard to keep these ports closed. There are other methods such as firewalls that we can use to secure the access but it will still keep the ports open. when it comes to public clouds, its increase your infrastructure’s public facing part. Its clients, administrators may access services over the internet mostly. In that case it will give more time and room for attackers to target open ports. 

Azure Just-in-Time VM Access is a great option to control this. As an example, if engineers need to do work in their VM’s mostly they RDP in to the system. Let’s assume they work 1 hour per day on servers. so, keeping port open for 24 hours not giving any benefits rather than risk. Using Just-in-Time VM Access we can limit the time it keeps RDP ports open. 

When Just-in-Time VM Access enabled, we can define what VM and what ports will be controlled. In most scenarios you do not need to control access to ports used by your applications or services. It will be more in to ports related to management tasks. This all done by using azure network security group rules. You can find more about NSG using https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-nsg

When this feature used with VM, upon access request to a protected port, it will first check if the user have access permission to it using Azure Role based access control (RBAC). If it all good, then NSG automatically configure to allow access with the time you specified. Once it reached the allowed time limit, NSG will automatically revert configuration in to original state. 

This feature is still on preview but it is not too early to check its capabilities. Also, this feature is only can use with VMs created using Azure Resource Manager (ARM). 

Configuration

1. Log in to Azure Portal using Global Administrator account. 

2. Go to Security Center > Just-In-Time VM Access 

jvm1

3. Then it will load the default page.

jvm2

4. Click on Recommended Tab. It will list down the VMs you have. 

jvm3

5. In order to enable JIT access, put a tick on the VM you like to protect and then click on Enable JIT on button. if need you can do it for multiple VMs in same time. 

jvm4

6. Then it lists down the default ports protected with JIT access. 

jvm5

7. We still can adjust settings for these services. As an example, I need to limit port 3389 (RDP) port Max request time to 1 hour. By default, it is 3 hours. In order to do that click on rule for 3389 and change Max request time value to 1 hour. To apply changes, click on OK at the end.

jvm6

8. In next window we can see the new value, click on Save to save the config. 

jvm7

9. If need we also can add our own ports to protection. Let’s assume we need to protect port 8080 access. To do that click on Add button in access configuration page. 

jvm8

10. Then type port details in the window. Under Protocol we can select TCP, UDP or Any based-on requirement. Under Allowed source IPs access can controlled based on request or specific IP range. Max request time option is to limit the hours. Minimum time we can select is 1 hour. Once changes are done click on OK to apply changes

jvm9

11. Then click on Save to save the config. 

12. After that, once we go to feature home page we can see the protected VM under Configured tab.

jvm10

13. If need to edit the current configuration it can do using Edit option as below. 

jvm11

14. Now configuration is done. Let’s test it out. According to my configuration I have RDP port protected. To request access, select the VM with tick box and then click on request access option. 

jvm12

15. In next window, I am only going to request access to RDP port. To do that select the correct rule and click on On tab under toggle. Then click on Open Ports button. 

jvm13

16. Then in the feature home page we can see it got 1 approved requests.

jvm14

17. After configuration yes, I can access the server via RDP for 1 hour.

jvm15

18. After one hour, I can’t initiate another new RDP connection. Using Activity log we can view logs related to past activities. 

jvm16

jvm17

This marks the end of this blog post. Hope now you have better understanding what is JIT VM access and how to use it. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Active Directory Federation Services (AD FS) – Part 3

This is the part 3 of the series of articles which explains about the AD FS and configuration. If you still not read the part 1 and 2 you can find it here.

Active Directory Federation Services (AD FS) – Part 1

Active Directory Federation Services (AD FS) – Part 2

In this post let’s see how we can install AD FS web application proxy. As I explain on part 1 of the series, web application proxy need to be installed in perimeter network. Using it we can authenticate AD FS users before allow access to published application in corporate network.

Installation of Web Application Proxy

External DNS record

To access the web service from external it needs valid external DNS record which can use to connect from internet. If your organization DNS hosted in external make sure you create appropriate records and allow time for DNS propagation before proceed with the installation. 

In here for the demo I have created DNS entry for host name adfsproxy.contoso.com and point it to the server which will use for the service install.

adfsp1

Valid SSL

To allow the HTTPS communication it is must to have valid SSL certificate in place to use with the proxy server. It can be from external SSL provider or via company CA. it needs to match with the DNS entry we created on previous step.

In demo I have created self-signed SSL and deploy it on the server.

adfsp2

Installation Steps

To start the installation, log in to the server you choose as domain admin or enterprise admin.

1)    Load Server Manager > Add Roles and Features

adfsp3

2)    It will open up the add roles and features wizard. Click next to continue.

adfsp4

3)    In next window keep selection as “Role-based or feature-based installation” and click next to continue.

adfsp5

4)    In next window keep the default selection and click next to continue.

adfsp6

5)    In role selection window select “Remote Access” and click next

adfsp7

6)    On the feature selection leave the default selection and click next

adfsp8

7)    Then in next window it will give brief description about remote access role. Click next to continue

adfsp9

8)    In next window select the option “Web Application Proxy” then it will prompt to add features. Click on “add features” button and then click next on window to proceed.

adfsp10

adfsp11

9)    In next window it will give brief description about the selections you made so far and click install to begin the installation.

adfsp12

10)    It will start the installation process.

adfsp13

11)    Once its completed, click on “open the web application proxy wizard” from the window

adfsp14

12)    It will open up the web application proxy configuration wizard and click next to proceed

adfsp15

13)    In next window needs to input ADFS server and admin account info to connect to it. It will use for the authentication. Once input data correctly, click on next to continue.

adfsp16

14)    In the next window, need to specify the SSL cert which will use by the proxy server.

adfsp17

15)    In next window it will give the confirmation about the configuration and to begin install click on configure.

adfsp18

This finishes the installation and configuration of the web application proxy. In next post let’s look in to some of the configuration options in ADFS. If you have any questions about the post feel free to contact me on rebeladm@live.com