Skip to main content

More Info:

Enable JIT Network Access recommendations for virtual machines.

Risk Level

Low

Address

Security, Operational Maturity

Compliance Standards

SOC2, ISO27001, HIPAA, HITRUST

Triage and Remediation

  • Remediation

Remediation

Using Console

To remediate the “Monitor JIT Network Access setting is not enabled” misconfiguration for Azure using the Azure console, follow the below steps:
  1. Log in to the Azure portal using your credentials.
  2. Navigate to the “Security Center” service from the left-hand menu.
  3. In the Security Center dashboard, click on the “Security policy” tab.
  4. In the Security policy tab, scroll down to the “Just-in-Time network access” policy and click on the “Edit” button.
  5. In the “Just-in-Time network access” policy page, enable the “Monitor” option by toggling it to “On”.
  6. Click on the “Save” button to save the changes.
  7. Once the policy is saved, Azure will start monitoring the Just-in-Time network access setting and provide recommendations for remediation if any misconfiguration is detected.
By following the above steps, you can remediate the “Monitor JIT Network Access setting is not enabled” misconfiguration for Azure using the Azure console.

To remediate the “Monitor JIT Network Access setting is not enabled” misconfiguration in AZURE using AZURE CLI, follow these steps:
  1. Open the AZURE CLI on your local machine or on the AZURE Cloud Shell.
  2. Run the following command to check the current status of the JIT Network Access setting: 
    az monitor activity-log list --resource-type Microsoft.Network/networkSecurityGroups --query "[?contains(properties.description,'Just-In-Time')].{Time: eventTimestamp, Description: properties.description, Status: properties.status.value}" --output table
    This command will list all the NSGs (Network Security Groups) that have JIT (Just-In-Time) Network Access enabled or disabled.
  3. If the output shows that the JIT Network Access setting is not enabled for any NSG, run the following command to enable it: 
    az network nsg update --name <NSG_NAME> --resource-group <RESOURCE_GROUP_NAME> --set "properties.securityRules[?name=='AllowAzureBastion'].properties.destinationPortRange='3389'" --add "properties.securityRules[?name=='AllowAzureBastion'].properties.destinationPortRanges=3389" --set "properties.securityRules[?name=='AllowAzureBastion'].properties.direction='Inbound'" --set "properties.securityRules[?name=='AllowAzureBastion'].properties.access='Allow'" --set "properties.securityRules[?name=='AllowAzureBastion'].properties.priority=1001" --set "properties.securityRules[?name=='AllowAzureBastion'].properties.protocol='Tcp'" --set "properties.securityRules[?name=='AllowAzureBastion'].properties.sourceAddressPrefixes='*'"
    Replace <NSG_NAME> with the name of the NSG that you want to enable JIT Network Access for, and <RESOURCE_GROUP_NAME> with the name of the resource group that the NSG belongs to.
  4. Once the command is executed successfully, the JIT Network Access setting will be enabled for the specified NSG.
  5. Verify the change by running the command in step 2 again. The output should show that the JIT Network Access setting is now enabled for the specified NSG.
To remediate the “Monitor JIT Network Access setting is not enabled” misconfiguration in Azure using Python, you can use the Azure Python SDK to enable the Just-In-Time (JIT) Network Access setting for your virtual machines. Here are the step-by-step instructions:
  1. Install the Azure Python SDK by running the following command in your terminal:
pip install azure-mgmt-compute
  1. Authenticate with your Azure account using the SDK. You can use the following code snippet to authenticate:
from azure.common.credentials import ServicePrincipalCredentials
from azure.mgmt.compute import ComputeManagementClient

# Replace the values below with your Azure account details
subscription_id = '<subscription_id>'
tenant_id = '<tenant_id>'
client_id = '<client_id>'
client_secret = '<client_secret>'

# Authenticate with Azure using a service principal
credentials = ServicePrincipalCredentials(
    client_id=client_id,
    secret=client_secret,
    tenant=tenant_id
)

# Create a ComputeManagementClient object
compute_client = ComputeManagementClient(credentials, subscription_id)
  1. Get the virtual machine resource group and name for which you want to enable JIT Network Access. You can use the following code snippet to get the virtual machine details:
# Replace the values below with your virtual machine details
resource_group_name = '<resource_group_name>'
vm_name = '<vm_name>'

# Get the virtual machine details
vm = compute_client.virtual_machines.get(resource_group_name, vm_name)
  1. Enable JIT Network Access for the virtual machine by updating its network profile. You can use the following code snippet to enable JIT Network Access:
# Enable JIT Network Access for the virtual machine
vm.network_profile.network_interface_configurations[0].enable_accelerated_networking = True
vm.network_profile.network_interface_configurations[0].enable_ip_forwarding = True
vm.network_profile.network_interface_configurations[0].network_security_group = None
vm.network_profile.network_interface_configurations[0].enable_network_security_group_flow_logging = True
vm.network_profile.network_interface_configurations[0].enable_jit_network_access = True

# Update the virtual machine with the new network profile
compute_client.virtual_machines.create_or_update(resource_group_name, vm_name, vm)
With these steps, you should be able to remediate the “Monitor JIT Network Access setting is not enabled” misconfiguration for your Azure virtual machine using Python.