使用实时访问保护管理端口Secure your management ports with just-in-time access

使用 Azure 安全中心的实时 (JIT) 虚拟机 (VM) 访问功能来锁定发往 Azure 虚拟机的入站流量。Lock down inbound traffic to your Azure Virtual Machines with Azure Security Center's just-in-time (JIT) virtual machine (VM) access feature. 这可以降低遭受攻击的可能性,同时在你需要连接到 VM 时让你能够轻松进行访问。This reduces exposure to attacks while providing easy access when you need to connect to a VM.

有关 JIT 工作原理和底层逻辑的完整说明,请参阅有关实时的说明For a full explanation about how JIT works and the underlying logic, see Just-in-time explained.

本页介绍如何在安全程序中包括 JIT。This page teaches you how to include JIT in your security program. 将了解如何执行以下操作:You'll learn how to:

  • 在 VM 上启用 JIT - 可以使用安全中心、PowerShell 或 REST API,为一个或多个 VM 启用采用你自己的自定义选项的 JIT。Enable JIT on your VMs - You can enable JIT with your own custom options for one or more VMs using Security Center, PowerShell, or the REST API. 也可以从 Azure 虚拟机使用默认的硬编码参数启用 JIT。Alternatively, you can enable JIT with default, hard-coded parameters, from Azure virtual machines. 启用后,JIT 会通过在网络安全组中创建规则来锁定发往 Azure VM 的入站流量。When enabled, JIT locks down inbound traffic to your Azure VMs by creating a rule in your network security group.
  • 请求访问已启用 JIT 的 VM - JIT 的目标是确保即使在入站流量被锁定的情况下,你也能在需要时通过安全中心轻松进行访问,以便连接到 VM。Request access to a VM that has JIT enabled - The goal of JIT is to ensure that even though your inbound traffic is locked down, Security Center still provides easy access to connect to VMs when needed. 你可以通过安全中心、Azure 虚拟机、PowerShell 或 REST API 请求对启用了 JIT 的 VM 进行访问。You can request access to a JIT-enabled VM from Security Center, Azure virtual machines, PowerShell, or the REST API.
  • 审核活动 - 若要确保 VM 得到适当保护,请在常规安全检查过程中评审对启用了 JIT 的 VM 的访问。Audit the activity - To ensure your VMs are secured appropriately, review the accesses to your JIT-enabled VMs as part of your regular security checks.


方面Aspect 详细信息Details
发布状态:Release state: 正式发布版 (GA)General Availability (GA)
定价:Pricing: 需要用于服务器的 Azure DefenderRequires Azure Defender for servers
支持的 VM:Supported VMs: 是 通过 Azure 资源管理器部署的 VM。Yes VMs deployed through Azure Resource Manager.
否 通过经典部署模型部署的 VM。No VMs deployed with classic deployment models. 了解有关这些部署模型的详细信息Learn more about these deployment models.
否Azure 防火墙管理器控制的 Azure 防火墙保护的 VMNo VMs protected by Azure Firewalls controlled by Azure Firewall Manager
所需角色和权限:Required roles and permissions: “读取者”角色和“安全读取者”角色都可以查看 JIT 状态和参数。Reader and SecurityReader roles can both view the JIT status and parameters.
若要创建可与 JIT 配合使用的自定义角色,请参阅配置和使用 JIT 时需要哪些权限?To create custom roles that can work with JIT, see What permissions are needed to configure and use JIT?.
若要为那些需要请求对 VM 进行 JIT 访问而不执行其他 JIT 操作的用户创建最小特权角色,请使用安全中心 GitHub 社区页面中的 Set-JitLeastPrivilegedRole 脚本To create a least-privileged role for users that need to request JIT access to a VM, and perform no other JIT operations, use the Set-JitLeastPrivilegedRole script from the Security Center GitHub community pages.
云:Clouds: 是 中国云China cloud

启用 JIT VM 访问 Enable JIT VM access

可以使用安全中心或通过编程方式,为一个或多个 VM 启用采用你自己的自定义选项的 JIT VM 访问。You can enable JIT VM access with your own custom options for one or more VMs using Security Center or programmatically.

也可以从 Azure 虚拟机使用默认的硬编码参数启用 JIT。Alternatively, you can enable JIT with default, hard-coded parameters, from Azure Virtual machines.

这些选项中的每一个都在下面的单独选项卡中进行了介绍。Each of these options is explained in a separate tab below.

从 Azure 安全中心对 VM 启用 JIT Enable JIT on your VMs from Azure Security Center

在 Azure 安全中心配置 JIT VM 访问

可以从安全中心启用和配置 JIT VM 访问。From Security Center, you can enable and configure the JIT VM access.

  1. 打开 Azure Defender 仪表板,从高级保护区域选择“实时 VM 访问”。Open the Azure Defender dashboard and from the advanced protection area, select Just-in-time VM access.

    此时会打开“实时 VM 访问”页,你的 VM 会分组到以下多个选项卡中:The Just-in-time VM access page opens with your VMs grouped into the following tabs:

    • 已配置 - 已配置为支持实时 VM 访问的 VM。Configured - VMs that have been already been configured to support just-in-time VM access. 对于每个 VM,“已配置”选项卡会显示:For each VM, the configured tab shows:
      • 过去七天批准的 JIT 请求数the number of approved JIT requests in the last seven days
      • 上次访问日期和时间the last access date and time
      • 已配置的连接详细信息the connection details configured
      • 上一个用户the last user
    • 未配置 - 未启用 JIT 但可以支持 JIT 的 VM。Not configured - VMs without JIT enabled, but that can support JIT. 建议为这些 VM 启用 JIT。We recommend that you enable JIT for these VMs.
    • 不支持 - 未启用 JIT 且不支持该功能的 VM。Unsupported - VMs without JIT enabled and which don't support the feature. 你的 VM 出现在此选项卡中可能是因为以下原因:Your VM might be in this tab for the following reasons:
      • 缺少网络安全组 (NSG) - JIT 要求配置 NSGMissing network security group (NSG) - JIT requires an NSG to be configured
      • 经典 VM - JIT 支持通过 Azure 资源管理器而非“经典部署”部署的 VM。Classic VM - JIT supports VMs that are deployed through Azure Resource Manager, not 'classic deployment'. 详细了解经典部署模型与 Azure 资源管理器部署模型Learn more about classic vs Azure Resource Manager deployment models.
      • 其他 - 如果在订阅或资源组的安全策略中禁用了 JIT 解决方案,则你的 VM 可能在此选项卡中。Other - Your VM might be in this tab if the JIT solution is disabled in the security policy of the subscription or the resource group.
  2. 从“未配置”选项卡上,将 VM 标记为使用 JIT 进行保护,然后选择“在 VM 上启用 JIT”。 From the Not configured tab, mark the VMs to protect with JIT and select Enable JIT on VMs.

    此时会打开“JIT VM 访问”页,其中列出了安全中心建议保护的端口:The JIT VM access page opens listing the ports that Security Center recommends protecting:

    • 22 - SSH22 - SSH
    • 3389 - RDP3389 - RDP
    • 5985 - WinRM5985 - WinRM
    • 5986 - WinRM5986 - WinRM

    若要接受默认设置,请选择“保存”。To accept the default settings, select Save.

  3. 若要自定义 JIT 选项,请执行以下操作:To customize the JIT options:

    • 使用“添加”按钮添加自定义端口。Add custom ports with the Add button.
    • 从列表中选择默认端口之一,对其进行修改。Modify one of the default ports, by selecting it from the list.

    “添加端口配置”窗格为每个端口(自定义端口和默认端口)提供以下选项:For each port (custom and default) the Add port configuration pane offers the following options:

    • 协议 - 批准某个请求时此端口允许的协议Protocol- The protocol that is allowed on this port when a request is approved
    • 允许的源 IP - 批准某个请求时此端口允许的 IP 范围Allowed source IPs- The IP ranges that are allowed on this port when a request is approved
    • 最大请求时间 - 可以打开特定端口的最大时间范围Maximum request time- The maximum time window during which a specific port can be opened
    1. 根据需要设置端口安全性。Set the port security to your needs.

    2. 选择“确定” 。Select OK.

  4. 选择“保存”。Select Save.

使用安全中心编辑启用了 JIT 的 VM 上的 JIT 配置 Edit the JIT configuration on a JIT-enabled VM using Security Center

可以对 VM 的实时配置进行以下修改:添加并配置要针对该 VM 进行保护的新端口,或更改与已保护的端口相关的任何其他设置。You can modify a VM's just-in-time configuration by adding and configuring a new port to protect for that VM, or by changing any other setting related to an already protected port.

若要编辑 VM 的现有 JIT 规则,请执行以下操作:To edit the existing JIT rules for a VM:

  1. 打开 Azure Defender 仪表板,从高级保护区域选择“自适应应用程序控制”。Open the Azure Defender dashboard and from the advanced protection area, select Adaptive application controls.

  2. 在“已配置”选项卡上,右键单击要向其添加端口的 VM,然后选择“编辑”。From the Configured tab, right-click on the VM to which you want to add a port, and select edit.

    在 Azure 安全中心编辑 JIT VM 访问配置

  3. 在“JIT VM 访问配置”下,可以编辑已保护的端口的现有设置,也可以添加新的自定义端口。Under JIT VM access configuration, you can either edit the existing settings of an already protected port or add a new custom port.

  4. 编辑完端口后,选择“保存”。When you've finished editing the ports, select Save.

请求访问启用了 JIT 的 VMRequest access to a JIT-enabled VM

可以通过 Azure 门户(在安全中心或 Azure 虚拟机中)或编程方式请求访问启用了 JIT 的 VM。You can request access to a JIT-enabled VM from the Azure portal (in Security Center or Azure Virtual machines) or programmatically.

这些选项中的每一个都在下面的单独选项卡中进行了介绍。Each of these options is explained in a separate tab below.

从 Azure 安全中心请求访问启用了 JIT 的 VMRequest access to a JIT-enabled VM from Azure Security Center

如果 VM 启用了 JIT,则必须请求连接到它所需的访问权限。When a VM has a JIT enabled, you have to request access to connect to it. 不管你启用 JIT 的方式如何,你都可以通过任何受支持的方式请求访问权限。You can request access in any of the supported ways, regardless of how you enabled JIT.

从安全中心请求 JIT 访问权限

  1. 从“实时 VM 访问”页选择“已配置”选项卡。 From the Just-in-time VM access page, select the Configured tab.

  2. 标记要访问的 VM。Mark the VMs you want to access.

    • “连接详细信息”列中的图标指示是对网络安全组还是对防火墙启用了 JIT。The icon in the Connection Details column indicates whether JIT is enabled on the network security group or firewall. 如果对二者均启用了 JIT,则只会显示防火墙图标。If it's enabled on both, only the firewall icon appears.

    • “连接详细信息”列提供连接 VM 所需的信息,及其打开的端口。The Connection Details column provides the information required to connect the VM, and its open ports.

  3. 选择“请求访问权限”。Select Request access. 此时会打开“请求访问”窗口。The Request access window opens.

  4. 在“请求访问”下,为每个 VM 配置要打开的端口、要为其打开该端口的源 IP 地址以及将打开该端口的时间范围。Under Request access, for each VM, configure the ports that you want to open and the source IP addresses that the port is opened on and the time window for which the port will be open. 只能请求访问已配置的端口。It will only be possible to request access to the configured ports. 每个端口都有一个从已创建的 JIT 配置派生的最大允许时间。Each port has a maximum allowed time derived from the JIT configuration you've created.

  5. 选择“打开端口”。Select Open ports.


如果请求访问的用户使用代理,则“我的 IP”选项可能无法使用。If a user who is requesting access is behind a proxy, the option My IP may not work. 可能需要定义组织的完整 IP 地址范围。You may need to define the full IP address range of the organization.

审核安全中心的 JIT 访问活动Audit JIT access activity in Security Center

可以使用日志搜索深入了解 VM 活动。You can gain insights into VM activities using log search. 若要查看日志,请执行以下操作:To view the logs:

  1. 从“实时 VM 访问”选择“已配置”选项卡 。From Just-in-time VM access, select the Configured tab.

  2. 对于要审核的 VM,请打开行末尾的省略号菜单。For the VM that you want to audit, open the ellipsis menu at the end of the row.

  3. 从菜单中选择“活动日志”。Select Activity Log from the menu.

    选择实时 (JIT) 活动日志

    活动日志提供了一个经筛选的视图,其中包含以前针对该 VM 进行的操作以及时间、日期和订阅。The activity log provides a filtered view of previous operations for that VM along with time, date, and subscription.

  4. 若要下载日志信息,请选择“以 CSV 格式下载”。To download the log information, select Download as CSV.

后续步骤Next steps

本文介绍了如何设置和使用实时 VM 访问。In this article, you learned how to set up and use just-in-time VM access. 若要了解为什么应使用 JIT,请阅读以下概念文章,其中介绍了 JIT 抵御的威胁:To learn why JIT should be used, read the concept article explaining the threats it's defending against: