了解实时 (JIT) VM 访问Understanding just-in-time (JIT) VM access

本页介绍 Azure 安全中心的实时 (JIT) VM 访问功能背后的原理和建议背后的逻辑。This page explains the principles behind Azure Security Center's just-in-time (JIT) VM access feature and the logic behind the recommendation.

若要了解如何使用 Azure 门户(安全中心或 Azure 虚拟机)或以编程方式向 VM 应用 JIT,请参阅如何使用 JIT 保护管理端口To learn how to apply JIT to your VMs using the Azure portal (either Security Center or Azure Virtual Machines) or programatically, see How to secure your management ports with JIT.

虚拟机上的开放管理端口的风险The risk of open management ports on a virtual machine

威胁参与者会主动搜寻带有开放管理端口(如 RDP 或 SSH)的可访问计算机。Threat actors actively hunt accessible machines with open management ports, like RDP or SSH. 你的所有虚拟机都是潜在的攻击目标。All of your virtual machines are potential targets for an attack. VM 在被成功入侵后将会用作进一步攻击环境中资源的入口点。When a VM is successfully compromised, it's used as the entry point to attack further resources within your environment.

为什么 JIT VM 访问会是解决方案Why JIT VM access is the solution

与所有网络安全防护技术一样,你的目标应该是减小攻击面。As with all cybersecurity prevention techniques, your goal should be to reduce the attack surface. 在这种情况下,这意味着开放的端口更少,特别是管理端口。In this case, that means having fewer open ports, especially management ports.

你的合法用户也使用这些端口,因此将其保持关闭状态是不切实际的。Your legitimate users also use these ports, so it's not practical to keep them closed.

为了解决此难题,Azure 安全中心提供了 JIT。To solve this dilemma, Azure Security Center offers JIT. 使用 JIT,可以锁定发往 VM 的入站流量,降低遭受攻击的可能性,同时在需要时还允许轻松连接到 VM。With JIT, you can lock down the inbound traffic to your VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed.

JIT 如何与网络安全组和 Azure 防火墙一起运行How JIT operates with network security groups and Azure Firewall

启用实时 VM 访问时,可以选择 VM 上要阻止入站流量的端口。When you enable just-in-time VM access, you can select the ports on the VM to which inbound traffic will be blocked. 安全中心确保你选择的端口在网络安全组 (NSG) 和 Azure 防火墙规则中有“拒绝所有入站流量”规则。Security Center ensures "deny all inbound traffic" rules exist for your selected ports in the network security group (NSG) and Azure Firewall rules. 这些规则限制对 Azure VM 管理端口的访问,并防止其受到攻击。These rules restrict access to your Azure VMs’ management ports and defend them from attack.

如果所选端口已有了其他规则,则现有的这些规则优先于新的“拒绝所有入站流量”规则。If other rules already exist for the selected ports, then those existing rules take priority over the new "deny all inbound traffic" rules. 如果所选端口没有现有的规则,则新规则在 NSG 和 Azure 防火墙中的优先级最高。If there are no existing rules on the selected ports, then the new rules take top priority in the NSG and Azure Firewall.

当用户请求访问 VM 时,安全中心会检查用户是否对该 VM 具有 Azure 基于角色的访问控制 (Azure RBAC) 权限。When a user requests access to a VM, Security Center checks that the user has Azure role-based access control (Azure RBAC) permissions for that VM. 如果请求获得批准,安全中心将配置网络安全组 (NSG) 和 Azure 防火墙,以便允许在指定的时间量内从相关 IP 地址(或范围)发往所选端口的入站流量。If the request is approved, Security Center configures the NSGs and Azure Firewall to allow inbound traffic to the selected ports from the relevant IP address (or range), for the amount of time that was specified. 在该时间到期后,安全中心会将 NSG 还原为以前的状态。After the time has expired, Security Center restores the NSGs to their previous states. 已经建立的连接不会中断。Connections that are already established are not interrupted.

安全中心如何确定哪些 VM 应当应用 JITHow Security Center identifies which VMs should have JIT applied

下图显示了在决定如何对受支持的 VM 分类时安全中心应用的逻辑:The diagram below shows the logic that Security Center applies when deciding how to categorize your supported VMs:

实时 (JIT) 虚拟机 (VM) 逻辑流Just-in-time (JIT) virtual machine (VM) logic flow

当安全中心发现可以受益于 JIT 的计算机时,它会将该计算机添加到建议的“不正常的资源”选项卡中。When Security Center finds a machine that can benefit from JIT, it adds that machine to the recommendation's Unhealthy resources tab.

实时 (JIT) 虚拟机 (VM) 访问建议

常见问题 - 有关实时虚拟机访问的问题FAQ - Questions about just in time virtual machine access

配置和使用 JIT 时需要哪些权限?What permissions are needed to configure and use JIT?

JIT 要求在订阅上启用适用于服务器的 Azure DefenderJIT requires Azure Defender for servers to be enabled on the subscription.

“读取者”角色和“安全读取者”角色都可以查看 JIT 状态和参数。Reader and SecurityReader roles can both view the JIT status and parameters.

如果要创建可用于 JIT 的自定义角色,则需要下表中的详细信息。If you want to create custom roles that can work with JIT, you'll need the details from the table below.

提示

若要为那些需要请求对 VM 进行 JIT 访问而不执行其他 JIT 操作的用户创建最小特权角色,请使用安全中心 GitHub 社区页面中的 Set-JitLeastPrivilegedRole 脚本To create a least-privileged role for users that need to request JIT access to a VM, and perform no other JIT operations, use the Set-JitLeastPrivilegedRole script from the Security Center GitHub community pages.

使用户能够:To enable a user to: 要设置的权限Permissions to set
配置或编辑 VM 的 JIT 策略Configure or edit a JIT policy for a VM 将这些“操作”分配给角色:Assign these actions to the role:
  • 在与 VM 关联的订阅或资源组的范围内:On the scope of a subscription or resource group that is associated with the VM:
    Microsoft.Security/locations/jitNetworkAccessPolicies/write
  • 在 VM 的订阅或资源组的范围内:On the scope of a subscription or resource group of VM:
    Microsoft.Compute/virtualMachines/write
请求 JIT 对 VM 的访问权限Request JIT access to a VM 将这些“操作”分配给用户:Assign these actions to the user:
  • 在与 VM 关联的订阅或资源组的范围内:On the scope of a subscription or resource group that is associated with the VM:
    Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action
  • 在与 VM 关联的订阅或资源组的范围内:On the scope of a subscription or resource group that is associated with the VM:
    Microsoft.Security/locations/jitNetworkAccessPolicies/*/read
  • 在订阅、资源组或 VM 的范围内:On the scope of a subscription or resource group or VM:
    Microsoft.Compute/virtualMachines/read
  • 在订阅、资源组或 VM 的范围内:On the scope of a subscription or resource group or VM:
    Microsoft.Network/networkInterfaces/*/read
读取 JIT 策略Read JIT policies 将这些“操作”分配给用户:Assign these actions to the user:
  • Microsoft.Security/locations/jitNetworkAccessPolicies/read
  • Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action
  • Microsoft.Security/policies/read
  • Microsoft.Compute/virtualMachines/read
  • Microsoft.Network/*/read

后续步骤Next steps

本页说明了为何应使用实时 (JIT) 虚拟机 (VM) 访问。This page explained why just-in-time (JIT) virtual machine (VM) access should be used.

请转到操作指南文章,了解如何启用 JIT 并请求对启用 JIT 的 VM 进行访问:Advance to the how-to article to learn about enabling JIT and requesting access to your JIT-enabled VMs: