Just-in-time machine access
Defender for Servers Plan in Microsoft Defender for Cloud provides a just-in-time machine access feature.
Threat actors actively hunt accessible machines with open management ports, like RDP or SSH. All of your machines are potential targets for an attack. When a machine is successfully compromised, it's used as the entry point to attack further resources in the environment.
To reduce attack surfaces, we want fewer open ports, especially management ports. Legitimate users also use these ports, so it's not practical to keep them closed.
To solve this dilemma, Defender for Cloud offers just-in-time machine access so that you can lock down the inbound traffic to your VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed. Just-in-time access is available when Defender for Servers Plan is enabled.
Just-in-time access and network resources
Azure
In Azure, you can block inbound traffic on specific ports, by enabling just-in-time access.
- Defender for Cloud ensures "deny all inbound traffic" rules exist for your selected ports in the network security group (NSG) and Azure Firewall rules.
- These rules restrict access to your Azure VMs’ management ports and defend them from attack.
- If other rules already exist for the selected ports, then those existing rules take priority over the new "deny all inbound traffic" rules.
- If there are no existing rules on the selected ports, then the new rules take top priority in the NSG and Azure Firewall.
Identify VMs for just-in-time access
The following diagram shows the logic that Defender for Servers applies when deciding how to categorize your supported VMs:
When Defender for Cloud finds a machine that can benefit from just-in-time access, it adds that machine to the recommendation's Unhealthy resources tab.
