Skip to content

Commit 915453c

Browse files
memildinmemildin
committed
Further tweaks - including date
1 parent d4cd123 commit 915453c

File tree

1 file changed

+19
-15
lines changed

1 file changed

+19
-15
lines changed

articles/security-center/security-center-just-in-time.md

Lines changed: 19 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ manager: rkarlin
77

88
ms.service: security-center
99
ms.topic: conceptual
10-
ms.date: 09/10/2019
10+
ms.date: 02/25/2020
1111
ms.author: memildin
1212

1313
---
@@ -28,7 +28,7 @@ There are three ways to configure a JIT policy on a VM:
2828
- [Configure JIT access in an Azure VM page](#jit-vm)
2929
- [Configure a JIT policy on a VM programmatically](#jit-program)
3030

31-
## Configure JIT in Security Center
31+
## Configure JIT in Azure Security Center
3232

3333
From Security Center, you can configure a JIT policy and request access to a VM using a JIT policy
3434

@@ -82,36 +82,42 @@ To request access to a VM via Security Center:
8282

8383
1. Under **Just-in-time VM access**, select the **Configured** tab.
8484

85-
2. Under **Virtual Machine**, click the VMs that you want to request access for. This puts a checkmark next to the VM.
85+
1. Under **Virtual Machine**, click the VMs that you want to request access for. This puts a checkmark next to the VM.
8686

8787
- The icon in the **Connection Details** column indicates whether JIT is enabled on the NSG or FW. If it’s enabled on both, only the Firewall icon appears.
8888

8989
- The **Connection Details** column provides the information required to connect the VM, and its open ports.
9090

9191
![Request just-in-time access](./media/security-center-just-in-time/request-just-in-time-access.png)
9292

93-
3. Click **Request access**. The **Request access** window opens.
93+
1. Click **Request access**. The **Request access** window opens.
9494

9595
![JIT details](./media/security-center-just-in-time/just-in-time-details.png)
9696

97-
4. Under **Request access**, for each VM, configure the ports that you want to open and the source IP addresses that the port is opened on and the time window for which the port will be open. It will only be possible to request access to the ports that are configured in the just-in-time policy. Each port has a maximum allowed time derived from the just-in-time policy.
97+
1. Under **Request access**, for each VM, configure the ports that you want to open and the source IP addresses that the port is opened on and the time window for which the port will be open. It will only be possible to request access to the ports that are configured in the just-in-time policy. Each port has a maximum allowed time derived from the just-in-time policy.
9898

99-
5. Click **Open ports**.
99+
1. Click **Open ports**.
100100

101101
> [!NOTE]
102102
> If a user who is requesting access is behind a proxy, the option **My IP** may not work. You may need to define the full IP address range of the organization.
103103
104+
105+
104106
## Edit a JIT access policy via Security Center
105107

106108
You can change a VM's existing just-in-time policy by adding and configuring a new port to protect for that VM, or by changing any other setting related to an already protected port.
107109

108110
To edit an existing just-in-time policy of a VM:
111+
109112
1. In the **Configured** tab, under **VMs**, select a VM to which to add a port by clicking on the three dots within the row for that VM.
110113

111114
1. Select **Edit**.
115+
112116
1. Under **JIT VM access configuration**, you can either edit the existing settings of an already protected port or add a new custom port.
113117
![jit vm access](./media/security-center-just-in-time/edit-policy.png)
114118

119+
120+
115121
## Audit JIT access activity in Security Center
116122

117123
You can gain insights into VM activities using log search. To view logs:
@@ -161,11 +167,11 @@ If a VM already has just-in-time enabled, when you go to its configuration page
161167

162168
In the Azure portal, when you try to connect to a VM, Azure checks to see if you have a just-in-time access policy configured on that VM.
163169

164-
- If you have a JIT policy configured on the VM, you can click **Request access** to enable you to have access in accordance with the JIT policy set for the VM.
170+
- If you have a JIT policy configured on the VM, you can click **Request access** to grant access in accordance with the JIT policy set for the VM.
165171

166172
>![jit request](./media/security-center-just-in-time/jit-request.png)
167173
168-
The access is requested with the following default parameters:
174+
Access is requested with the following default parameters:
169175

170176
- **source IP**: ‘Any’ (*) (cannot be changed)
171177
- **time range**: Three hours (cannot be changed) <!--Isn't this set in the policy-->
@@ -174,7 +180,7 @@ In the Azure portal, when you try to connect to a VM, Azure checks to see if you
174180
> [!NOTE]
175181
> After a request is approved for a VM protected by Azure Firewall, Security Center provides the user with the proper connection details (the port mapping from the DNAT table) to use to connect to the VM.
176182
177-
- If you do not have JIT configured on a VM, you will be prompted to configure a JIT policy it.
183+
- If you do not have JIT configured on a VM, you will be prompted to configure a JIT policy on it.
178184

179185
![jit prompt](./media/security-center-just-in-time/jit-prompt.png)
180186

@@ -242,7 +248,7 @@ Run the following in PowerShell:
242248

243249
Start-AzJitNetworkAccessPolicy -ResourceId "/subscriptions/SUBSCRIPTIONID/resourceGroups/RESOURCEGROUP/providers/Microsoft.Security/locations/LOCATION/jitNetworkAccessPolicies/default" -VirtualMachine $JitPolicyArr
244250

245-
For more information, see the PowerShell cmdlet documentation.
251+
For more information, see the [PowerShell cmdlet documentation](../../../powershell/scripting/developer/cmdlet/cmdlet-overview).
246252

247253

248254
## Automatic cleanup of redundant JIT rules
@@ -254,16 +260,14 @@ Examples scenarios when the cleaner might remove a built-in rule:
254260
- When two rules with identical definitions exist and one has a higher priority than the other (meaning, the lower priority rule will never be used)
255261
- When a rule description includes the name of a VM which doesn't match the destination IP in the rule
256262

263+
257264
## Next steps
265+
258266
In this article, you learned how just-in-time VM access in Security Center helps you control access to your Azure virtual machines.
259267

260268
To learn more about Security Center, see the following:
261269

262270
- [Setting security policies](tutorial-security-policy.md) — Learn how to configure security policies for your Azure subscriptions and resource groups.
263271
- [Managing security recommendations](security-center-recommendations.md) — Learn how recommendations help you protect your Azure resources.
264272
- [Security health monitoring](security-center-monitoring.md) — Learn how to monitor the health of your Azure resources.
265-
- [Managing and responding to security alerts](security-center-managing-and-responding-alerts.md) — Learn how to manage and respond to security alerts.
266-
- [Monitoring partner solutions](security-center-partner-solutions.md) — Learn how to monitor the health status of your partner solutions.
267-
- [Security Center FAQ](security-center-faq.md) — Find frequently asked questions about using the service.
268-
- [Azure Security blog](https://blogs.msdn.microsoft.com/azuresecurity/) — Find blog posts about Azure security and compliance.
269-
273+
- [Azure Security Center FAQ](security-center-faq.md) — Find frequently asked questions about using the service.

0 commit comments

Comments
 (0)