使用实时访问保护管理端口Secure your management ports with just-in-time access

实时 (JIT) 虚拟机 (VM) 访问可用来锁定发往 Azure VM 的入站流量,降低遭受攻击的可能性,同时在需要时还可轻松连接到 VM。Just-in-time (JIT) virtual machine (VM) access can be used to lock down inbound traffic to your Azure VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed.

备注

安全中心实时 VM 访问当前仅支持通过 Azure 资源管理器部署的 VM。Security Center just-in-time VM access currently supports only VMs deployed through Azure Resource Manager. 若要了解有关经典部署模型和资源管理器部署模型的详细信息,请参阅 Azure 资源管理器与经典部署To learn more about the classic and Resource Manager deployment models see Azure Resource Manager vs. classic deployment.

攻击方案Attack scenario

暴力攻击通常以攻击管理端口为手段来获取对 VM 的访问权限。Brute force attacks commonly target management ports as a means to gain access to a VM. 如果成功,则攻击者可以获得对 VM 的控制权并建立通向你的环境的据点。If successful, an attacker can take control over the VM and establish a foothold into your environment.

降低遭受暴力攻击的可能性的一种方法是限制端口处于打开状态的时间量。One way to reduce exposure to a brute force attack is to limit the amount of time that a port is open. 管理端口不需要始终处于打开状态。Management ports don't need to be open at all times. 它们只需要在连接到 VM 时打开,例如执行管理或维护任务。They only need to be open while you're connected to the VM, for example to perform management or maintenance tasks. 如果启用了实时功能,安全中心会使用网络安全组 (NSG) 和 Azure 防火墙规则,这些规则将限制对管理端口的访问以使其不会成为攻击者的目标。When just-in-time is enabled, Security Center uses network security group (NSG) and Azure Firewall rules, which restrict access to management ports so they cannot be targeted by attackers.

实时方案

JIT 如何访问工作?How does JIT access work?

如果启用了实时访问,安全中心会通过创建 NSG 规则来锁定发往 Azure VM 的入站流量。When just-in-time is enabled, Security Center locks down inbound traffic to your Azure VMs by creating an NSG rule. 你需要选择要锁定 VM 上的哪些端口的入站流量。You select the ports on the VM to which inbound traffic will be locked down. 这些端口将受实时解决方案控制。These ports are controlled by the just-in-time solution.

当用户请求访问 VM 时,安全中心会检查用户是否具有该 VM 的基于角色的访问控制 (RBAC) 权限。When a user requests access to a VM, Security Center checks that the user has Role-Based Access Control (RBAC) permissions for that VM. 如果请求获得批准,安全中心将自动配置网络安全组 (NSG) 和 Azure 防火墙,以便在指定的时间内允许入站流量到达选定端口和请求的源 IP 地址或范围。If the request is approved, Security Center automatically configures the Network Security Groups (NSGs) and Azure Firewall to allow inbound traffic to the selected ports and requested source IP addresses or ranges, for the amount of time that was specified. 在该时间到期后,安全中心会将 NSG 还原为以前的状态。After the time has expired, Security Center restores the NSGs to their previous states. 但是,那些已经建立的连接不会中断。Those connections that are already established are not being interrupted, however.

备注

如果对 Azure 防火墙后面的 VM 批准了 JIT 访问请求,则安全中心会自动更改 NSG 和防火墙策略规则。If a JIT access request is approved for a VM behind an Azure Firewall, then Security Center automatically changes both the NSG and firewall policy rules. 在指定的时间内,规则将允许将入站流量发送到选定的端口以及请求的源 IP 地址或范围。For the amount of time that was specified, the rules allow inbound traffic to the selected ports and requested source IP addresses or ranges. 此时间过后,安全中心会将防火墙和 NSG 规则还原到其以前的状态。After the time is over, Security Center restores the firewall and NSG rules to their previous states.

配置和使用 JIT 所需的权限Permissions needed to configure and use JIT

使用户能够:To enable a user to: 要设置的权限Permissions to set
配置或编辑 VM 的 JIT 策略Configure or edit a JIT policy for a VM 将这些操作分配到角色 :Assign these actions to the role:
  • 在与 VM 关联的订阅或资源组的范围内:On the scope of a subscription or resource group that is associated with the VM:
    Microsoft.Security/locations/jitNetworkAccessPolicies/write
  • 在 VM 的订阅或资源组的范围内:On the scope of a subscription or resource group of VM:
    Microsoft.Compute/virtualMachines/write
请求 JIT 对 VM 的访问权限Request JIT access to a VM 将这些操作分配到用户 :Assign these actions to the user:
  • 在与 VM 关联的订阅或资源组的范围内:On the scope of a subscription or resource group that is associated with the VM:
    Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action
  • 在与 VM 关联的订阅或资源组的范围内:On the scope of a subscription or resource group that is associated with the VM:
    Microsoft.Security/locations/jitNetworkAccessPolicies/*/read
  • 在订阅、资源组或 VM 的范围内:On the scope of a subscription or resource group or VM:
    Microsoft.Compute/virtualMachines/read
  • 在订阅、资源组或 VM 的范围内:On the scope of a subscription or resource group or VM:
    Microsoft.Network/networkInterfaces/*/read

在 VM 上配置 JITConfigure JIT on a VM

可通过三种方式在 VM 上配置 JIT 策略:There are three ways to configure a JIT policy on a VM:

在 Azure 安全中心配置 JITConfigure JIT in Azure Security Center

在安全中心,可以配置 JIT 策略并使用 JIT 策略请求访问 VMFrom Security Center, you can configure a JIT policy and request access to a VM using a JIT policy

在安全中心的 VM 上配置 JIT 访问 Configure JIT access on a VM in Security Center

  1. 打开“安全中心”仪表板。Open the Security Center dashboard.

  2. 在左侧窗格中,选择“实时 VM 访问”。In the left pane, select Just-in-time VM access.

    实时 VM 访问磁贴

    此时将打开“实时 VM 访问”窗口,并显示有关 VM 状态的信息:The Just-in-time VM access window opens and shows information on the state of your VMs:

    • 已配置 - 已配置为支持实时 VM 访问的 VM。Configured - VMs that have been configured to support just-in-time VM access. 提供的数据是针对过去一周的,并且针对每个 VM 包括了已批准的请求数、上次访问日期和时间以及上一个用户。The data presented is for the last week and includes for each VM the number of approved requests, last access date and time, and last user.
    • 推荐 - 可以支持实时 VM 访问但尚未配置此功能的 VM。Recommended - VMs that can support just-in-time VM access but haven't been configured to. 建议为这些 VM 启用实时 VM 访问控制。We recommend that you enable just-in-time VM access control for these VMs.
    • 不推荐 - 导致不推荐某个 VM 的可能原因有:No recommendation - Reasons that can cause a VM not to be recommended are:
      • 缺少 NSG - 实时解决方案需要 NSG 准备就绪。Missing NSG - The just-in-time solution requires an NSG to be in place.
      • 经典 VM - 安全中心实时 VM 访问当前仅支持通过 Azure 资源管理器部署的 VM。Classic VM - Security Center just-in-time VM access currently supports only VMs deployed through Azure Resource Manager. 实时解决方案不支持经典部署。A classic deployment is not supported by the just-in-time solution.
      • 其他 - 如果在订阅或资源组的安全策略中未开启实时解决方案,或者 VM 缺少公共 IP 且没有已准备就绪的 NSG,则该 VM 将位于此类别中。Other - A VM is in this category if the just-in-time solution is turned off in the security policy of the subscription or the resource group, or if the VM is missing a public IP and doesn't have an NSG in place.
  3. 选择“建议”选项卡。Select the Recommended tab.

  4. 在“虚拟机”下,单击要启用的 VM。Under VIRTUAL MACHINE, click the VMs that you want to enable. 这会在 VM 旁边放置一个复选标记。This puts a checkmark next to a VM.

    启用实时访问

  5. 单击“在 VM 上启用 JIT”。Click Enable JIT on VMs. 此时会打开一个窗格,其中显示 Azure 安全中心建议的默认端口:A pane opens displaying the default ports recommended by Azure Security Center:

    • 22 - SSH22 - SSH
    • 3389 - RDP3389 - RDP
    • 5985 - WinRM5985 - WinRM
    • 5986 - WinRM5986 - WinRM
  6. 或者,可以将自定义端口添加到列表中:Optionally, you can add custom ports to the list:

    1. 单击“添加” 。Click Add. 此时会打开“添加端口配置”窗口。The Add port configuration window opens.

    2. 对于选择配置的每个端口,无论是默认端口还是自定义端口,都可以自定义下列设置:For each port you choose to configure, both default and custom, you can customize the following settings:

      • 协议类型 - 批准某个请求时,此端口允许的协议。Protocol type- The protocol that is allowed on this port when a request is approved.
      • 允许的源 IP 地址 - 批准某个请求时,此端口允许的 IP 范围。Allowed source IP addresses- The IP ranges that are allowed on this port when a request is approved.
      • 最大请求时间 - 可以打开特定端口的最大时间范围。Maximum request time- The maximum time window during which a specific port can be opened.
    3. 单击 “确定”Click OK.

  7. 单击“保存” 。Click Save.

备注

如果为 VM 启用 JIT VM 访问,Azure 安全中心将在与所选端口关联的网络安全组和 Azure 防火墙中为该端口创建“拒绝所有入站流量”规则。When JIT VM Access is enabled for a VM, Azure Security Center creates "deny all inbound traffic" rules for the selected ports in the network security groups associated and Azure Firewall with it. 如果为所选端口创建了其他规则,则现有的规则优先于新的“拒绝所有入站流量”规则。If other rules had been created for the selected ports, then the existing rules take priority over the new “deny all inbound traffic” rules. 如果所选端口没有现有的规则,则新的“拒绝所有入站流量”规则在网络安全组和 Azure 防火墙中的优先级最高。If there are no existing rules on the selected ports, then the new “deny all inbound traffic” rules take top priority in the Network Security Groups and Azure Firewall.

通过安全中心请求 JIT 访问Request JIT access via Security Center

若要通过安全中心请求访问 VM,请执行以下操作:To request access to a VM via Security Center:

  1. 在“实时 VM 访问”下,选择“已配置”选项卡 。Under Just-in-time VM access, select the Configured tab.

  2. 在“虚拟机”下,单击要请求访问的 VM。Under Virtual Machine, click the VMs that you want to request access for. 这会勾选该 VM。This puts a checkmark next to the VM.

    • “连接详细信息”列中的图标指示是在 NSG 还是 FW 中启用了 JIT。The icon in the Connection Details column indicates whether JIT is enabled on the NSG or FW. 如果同时在 NSG 和 FW 中启用了 JIT,只会显示防火墙图标。If it’s enabled on both, only the Firewall icon appears.

    • “连接详细信息”列提供连接 VM 所需的信息,及其打开的端口。The Connection Details column provides the information required to connect the VM, and its open ports.

      请求实时访问

  3. 单击“请求访问”。Click Request access. 此时会打开“请求访问”窗口。The Request access window opens.

    JIT 详细信息

  4. 在“请求访问”下,为每个 VM 配置要打开的端口、要为其打开该端口的源 IP 地址以及将打开该端口的时间范围。Under Request access, for each VM, configure the ports that you want to open and the source IP addresses that the port is opened on and the time window for which the port will be open. 只能请求访问在实时策略中配置的端口。It will only be possible to request access to the ports that are configured in the just-in-time policy. 每个端口都有一个从实时策略派生的最大允许时间。Each port has a maximum allowed time derived from the just-in-time policy.

  5. 单击“打开端口”。Click Open ports.

备注

如果请求访问的用户使用代理,则“我的 IP”选项可能无法使用。If a user who is requesting access is behind a proxy, the option My IP may not work. 可能需要定义组织的完整 IP 地址范围。You may need to define the full IP address range of the organization.

通过安全中心编辑 JIT 访问策略Edit a JIT access policy via Security Center

可以对 VM 的现有实时策略进行以下更改:添加并配置要保护该 VM 的新端口,或更改与已保护的端口相关的任何其他设置。You can change a VM's existing just-in-time policy by adding and configuring a new port to protect for that VM, or by changing any other setting related to an already protected port.

编辑现有的 VM 实时策略:To edit an existing just-in-time policy of a VM:

  1. 在“已配置”选项卡中,在“VM”下,通过单击 VM 对应的行内的三个点来选择要为其添加端口的 VM 。In the Configured tab, under VMs, select a VM to which to add a port by clicking on the three dots within the row for that VM.

  2. 选择“编辑”。Select Edit.

  3. 在“JIT VM 访问配置”下,可以编辑已保护的端口的现有设置,也可以添加新的自定义端口。Under JIT VM access configuration, you can either edit the existing settings of an already protected port or add a new custom port. jit vm 访问jit vm access

审核安全中心的 JIT 访问活动Audit JIT access activity in Security Center

可以使用日志搜索深入了解 VM 活动。You can gain insights into VM activities using log search. 若要查看日志,请执行以下操作:To view logs:

  1. 在“实时 VM 访问”下,选择“已配置”选项卡 。Under Just-in-time VM access, select the Configured tab.

  2. 在“VM”下,选择一个 VM,通过单击该 VM 对应的行中的三个点来查看其相关信息,并从菜单中选择“活动日志”。Under VMs, select a VM to view information about by clicking on the three dots within the row for that VM and select Activity Log from the menu. 此时会打开“活动日志”。The Activity log opens.

    选择“活动日志”

    “活动日志”提供了该 VM 的以前操作的经筛选视图以及时间、日期和订阅。Activity log provides a filtered view of previous operations for that VM along with time, date, and subscription.

可以通过选择“单击此处将所有项下载为 CSV”来下载日志信息。You can download the log information by selecting Click here to download all the items as CSV.

修改筛选器并单击“应用”来创建搜索和日志。Modify the filters and click Apply to create a search and log.

在 Azure VM 页配置 JIT 访问 Configure JIT access from an Azure VM's page

为方便起见,可以使用 JIT 直接从安全中心的 VM 页连接到 VM。For your convenience, you can connect to a VM using JIT directly from within the VM's page in Security Center.

通过 Azure VM 页在 VM 上配置 JIT 访问Configure JIT access on a VM via the Azure VM page

若要轻松地在 VM 间进行实时访问,可以将 VM 设置为仅允许从 VM 内直接进行实时访问。To make it easy to roll out just-in-time access across your VMs, you can set a VM to allow only just-in-time access directly from within the VM.

  1. Azure 门户中,搜索并选择“虚拟机”。From the Azure portal, search for and select Virtual machines.
  2. 选择要实行实时访问限制的虚拟机。Select the virtual machine you want to limit to just-in-time access.
  3. 在菜单中选择“配置”。In the menu, select Configuration.
  4. 在“实时访问”下,选择“启用实时” 。Under Just-in-time access, select Enable just-in-time.

此操作可为使用以下设置的 VM 启用实时访问:This enables just-in-time access for the VM using the following settings:

  • Windows 服务器:Windows servers:
    • RDP 端口 3389RDP port 3389
    • 允许的最长访问时间为三小时Three hours of maximum allowed access
    • 允许的源 IP 地址设置为“任何”Allowed source IP addresses is set to Any
  • Linux 服务器:Linux servers:
    • SSH 端口 22SSH port 22
    • 允许的最长访问时间为三小时Three hours of maximum allowed access
    • 允许的源 IP 地址设置为“任何”Allowed source IP addresses is set to Any

如果 VM 已启用实时访问,则在转到其配置页时,将看到实时访问已启用。可使用链接打开 Azure 安全中心中的策略,以便查看和更改设置。If a VM already has just-in-time enabled, when you go to its configuration page you will be able to see that just-in-time is enabled and you can use the link to open the policy in Azure Security Center to view and change the settings.

VM 中的 JIT 配置

通过 Azure VM 页请求对 VM 的 JIT 访问权限Request JIT access to a VM via an Azure VM's page

在 Azure 门户中,尝试连接到 VM 时,Azure 会检查是否在该 VM 上配置实时访问策略。In the Azure portal, when you try to connect to a VM, Azure checks to see if you have a just-in-time access policy configured on that VM.

  • 如果在 VM 上配置了 JIT 策略,则可以单击“请求访问权限”以根据为 VM 设置的 JIT 策略授予访问权限。If you have a JIT policy configured on the VM, you can click Request access to grant access in accordance with the JIT policy set for the VM.

    jit 请求

    使用以下默认参数请求访问权限:Access is requested with the following default parameters:

    • 源 IP:“任何”(*)(无法更改)source IP: ‘Any’ (*) (cannot be changed)

    • 时间范围:3 小时(无法更改)time range: Three hours (cannot be changed)

    • 端口号:在 Windows 中为 RDP 端口 3389/在 Linux 中为端口 22(可更改)port number RDP port 3389 for Windows / port 22 for Linux (can be changed)

      备注

      批准对受 Azure 防火墙保护的 VM 的请求后,安全中心将为用户提供正确的连接详细信息(来自 DNAT 表的端口映射)用于连接 VM。After a request is approved for a VM protected by Azure Firewall, Security Center provides the user with the proper connection details (the port mapping from the DNAT table) to use to connect to the VM.

  • 如果未在 VM 上配置 JIT,将提示你在其上配置 JIT 策略。If you do not have JIT configured on a VM, you will be prompted to configure a JIT policy on it.

    jit 提示

以编程方式在 VM 上配置 JIT 策略 Configure a JIT policy on a VM programmatically

可通过 REST API 和 PowerShell 设置和使用实时功能。You can set up and use just-in-time via REST APIs and via PowerShell.

通过 REST API 对 VM 进行 JIT 访问JIT VM access via REST APIs

通过 Azure 安全中心 API 可使用实时 VM 访问功能。The just-in-time VM access feature can be used via the Azure Security Center API. 可以通过此 API 获取有关配置 VM 的信息、添加新的 VM、请求访问 VM 等。You can get information about configured VMs, add new ones, request access to a VM, and more, via this API. 要详细了解实时 REST API,请参阅 Jit Network Access Policies(JIT网络访问策略)。See Jit Network Access Policies, to learn more about the just-in-time REST API.

通过 PowerShell 对 VM 进行 JIT 访问JIT VM access via PowerShell

要通过 PowerShell 使用实时 VM 访问解决方案,请使用正式的 Azure 安全中心 PowerShell cmdlet,具体为 Set-AzJitNetworkAccessPolicyTo use the just-in-time VM access solution via PowerShell, use the official Azure Security Center PowerShell cmdlets, and specifically Set-AzJitNetworkAccessPolicy.

下面的示例可对特定 VM 设置实时 VM 访问策略,并设置以下各项:The following example sets a just-in-time VM access policy on a specific VM, and sets the following:

  1. 关闭端口 22 和 3389。Close ports 22 and 3389.

  2. 将每个的最大时间窗口设置为 3 小时,使它们能够按每个批准的请求打开。Set a maximum time window of 3 hours for each so they can be opened per approved request.

  3. 允许请求访问的用户控制源 IP 地址,允许用户对批准的实时访问请求建立成功会话。Allows the user who is requesting access to control the source IP addresses and allows the user to establish a successful session upon an approved just-in-time access request.

在 PowerShell 中运行以下命令实现此目的:Run the following in PowerShell to accomplish this:

  1. 分配变量,保存 VM 的实时 VM 访问策略:Assign a variable that holds the just-in-time VM access policy for a VM:

    $JitPolicy = (@{
     id="/subscriptions/SUBSCRIPTIONID/resourceGroups/RESOURCEGROUP/providers/Microsoft.Compute/virtualMachines/VMNAME"
    ports=(@{
         number=22;
         protocol="*";
         allowedSourceAddressPrefix=@("*");
         maxRequestAccessDuration="PT3H"},
         @{
         number=3389;
         protocol="*";
         allowedSourceAddressPrefix=@("*");
         maxRequestAccessDuration="PT3H"})})
    
  2. 将 VM 实时 VM 访问策略插入数组:Insert the VM just-in-time VM access policy to an array:

    $JitPolicyArr=@($JitPolicy)
    
  3. 对所选 VM 配置实时 VM 访问策略:Configure the just-in-time VM access policy on the selected VM:

    Set-AzJitNetworkAccessPolicy -Kind "Basic" -Location "LOCATION" -Name "default" -ResourceGroupName "RESOURCEGROUP" -VirtualMachine $JitPolicyArr 
    

通过 PowerShell 请求访问 VMRequest access to a VM via PowerShell

在以下示例中,可以看到对特定 VM 的实时 VM 访问请求,其中请求端口 22 为特定 IP 地址打开,并持续特定时间:In the following example, you can see a just-in-time VM access request to a specific VM in which port 22 is requested to be opened for a specific IP address and for a specific amount of time:

在 PowerShell 中运行以下命令:Run the following in PowerShell:

  1. 配置 VM 请求访问属性Configure the VM request access properties

    $JitPolicyVm1 = (@{
      id="/SUBSCRIPTIONID/resourceGroups/RESOURCEGROUP/providers/Microsoft.Compute/virtualMachines/VMNAME"
    ports=(@{
       number=22;
       endTimeUtc="2018-09-17T17:00:00.3658798Z";
       allowedSourceAddressPrefix=@("IPV4ADDRESS")})})
    
  2. 在数组中插入 VM 访问请求参数:Insert the VM access request parameters in an array:

    $JitPolicyArr=@($JitPolicyVm1)
    
  3. 发送请求访问权限(使用步骤 1 中获取的资源 ID)Send the request access (use the resource ID you got in step 1)

    Start-AzJitNetworkAccessPolicy -ResourceId "/subscriptions/SUBSCRIPTIONID/resourceGroups/RESOURCEGROUP/providers/Microsoft.Security/locations/LOCATION/jitNetworkAccessPolicies/default" -VirtualMachine $JitPolicyArr
    

有关详细信息,请参阅 PowerShell cmdlet 文档。For more information, see the PowerShell cmdlet documentation.

后续步骤Next steps

在本文中,你已了解了安全中心中的实时 VM 访问如何帮助你控制对 Azure 虚拟机的访问。In this article, you learned how just-in-time VM access in Security Center helps you control access to your Azure virtual machines.

若要了解有关安全中心的详细信息,请参阅以下文章:To learn more about Security Center, see the following: