none
Potential False Postive Alert - JIT Rules RRS feed

  • Question

  • HI,

    After enabling JIT on a windows vm a rule was added to the NSG to block RDP. This rule superceeds another rule that allows rdp. I would expect Security Centre to understand that RDP is blocked and not raise an alarm. Have image of issue. Will attach after post

    

    Wednesday, February 13, 2019 11:06 AM

All replies

  • As per my understanding this is the purpose of JIT feature in Azure Security Center as JIT is designed to reduce the exposure to a brute force attack by limiting the amount of time a management port(RDP, SSH) is open as the management ports are targeted easily to gain access to a VM.  These ports only need to open while performing a maintenance task, so, when a JIT is enabled Security Center uses NSG's to restrict access to management ports so that they cannot be targetted by attackers. Also, the rules will either be the top priority of your Network Security Groups, or lower priority than existing rules that are already there and this depends on an analysis performed by Azure Security Center that determines whether a rule is secure or not.

    However, when a user request access to a VM Security center checks if the user has RBAC permissions to access the VM. Once the request is approved, Security center automatically configure NSG's to allow inbound traffic to the selected ports for the requested source IP addresses or ranges for the specified period of time and restores the NSG's to previous state after the time expires. 

    Thursday, February 14, 2019 11:38 PM
    Moderator
  • Please let us know if you find above reply useful. If yes, do click on 'Mark as answer' link in above reply. This will help other community members facing similar query to refer to this solution. Thanks.
    Thursday, February 21, 2019 12:02 AM
    Moderator