Exercise 1: Implementing Just-In-Time (JIT) access

In this exercise, attendees will secure a Privileged Access Workstation (PAW) workstation using the Azure Security Center Just In Time Access feature.

Task 1: Setup virtual machine with JIT

  1. In a browser, navigate to your Azure portal (https://portal.azure.com).
  2. Select Security Center, then select Just in time VM access.

Note: Your subscription may not be set up with the Standard tier; if that is the case then do the following:

a. In the Security Center blade, select Security Policy.

b. For your subscription, select Edit settings

c. Select Pricing Tier

d. Select Standard

e. Click Save

f. Navigate back to Security Center, select Just in time VM access.

  1. Select the Recommended tab, and then check the checkbox to select the lab vms (db-1, paw-1 and web-1), and then select the Enable JIT on 3 VMs link.

Note: It could take up to 10 minutes for new VMs to show up if you upgraded to standard tier security. Also note that it is possible new VMs display in the No recommendation tab until a backend process moves them to the Recommended tab.

  1. In the configuration window that opens, review the settings, then select Save.
  2. You should now see the states change to Resolved.

Note: It could take a couple minute for this to revert to the resolved state.

On the Virtual machines screen, several virtual machines have their State listed as Resolved.

Task 2: Perform a JIT request

  1. Select the Configured tab. You should now see all the machines listed.
  2. Select the paw-1 virtual machine, and then select Request access.
  3. For each of the ports, select the On toggle button, notice how the default IP settings is My IP.
  4. At the bottom of the dialog, select Open ports. After a few moments, you should now see the APPROVED requests have been incremented and the LAST ACCESS is set to Active now..
  5. Select the ellipses, then select Activity Log, you will be able to see a history of who requests access to the virtual machines.
  6. In the Azure Portal main menu, select All Services, then type Network, then select Network Security Group:
Network security groups is highlighted on the left side of the Azure portal, and paw-1-nsg is highlighted to the right.
  1. Select the paw-1-nsg network security group.
  2. Select Inbound security rules. You should now see a set of inbound security rules set up by JIT Access.