Tag: RDP

Inked Azure Security Center Just in time VM access_LI

Azure – Just in Time VM access

If you run virtual machines with public IP address connected to the internet, attackers immediately try to run attacks against it. Brute force attacks commonly target management ports, like RDP or SSH, to gain access to a VM. If the attacker is successful, he can take control over the VM and access other resources in the environment. To address that issue it is highly recommended to reduce the ports open, especially for the management ports. However, sometimes you will need to open to ports for some of the virtual machines for management tasks. Microsoft Azure has a simple way to address this issue, called Azure JIT virtual machine (VM) access. Just in time VM access can be used to lock down inbound traffic to your Azure VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed.

How does Azure Just in Time VM Access work

In the Azure Security Center you can enable just in time VM access, this will create a Network Security Rule (NSG) to lock down inbound traffic to the Azure VM. During the initial JIT VM access configuration, you will be configuring the ports specified, which will be managed by Azure Security Center, these ports will be locked down by the Azure Security Center using an NSGs.

Configure Azure JIT VM access

Inked Configure Just in time VM access_LI

Azure JIT VM access is configured in the Azure Security Center. To configure and enable JIT on a virtual machine open up the Azure Security Center and click on Just in time VM access.

Here you will find three states, Configured, Recommended and No recommendation.

  • Configured – VMs that have been configured to support just in time VM access. The data presented is for the last week and includes for each VM the number of approved requests, last access date and time, and last user.
  • Recommended – VMs that can support just in time VM access but have not been configured to. We recommend that you enable just in time VM access control for these VMs. See Configuring a just in time access policy.
  • No recommendation – Reasons that can cause a VM not to be recommended are:
    • Missing NSG – The just in time solution requires an NSG to be in place.
    • Classic VM – Security Center just in time VM access currently supports only VMs deployed through Azure Resource Manager. A classic deployment is not supported by the just in time solution.
    • Other – A VM is in this category if the just in time solution is turned off in the security policy of the subscription or the resource group, or that the VM is missing a public IP and doesn’t have an NSG in place.

To configure you click on Recommended and select the Virtual Machine, for which you want to enable JIT.

Click on Enable JIT on VMs and configure the ports which should be managed by Just in time VM Access. Just in time VM access will recommend some default ports like RDP, SSH and PowerShell Remoting. You can also add other ports to the virtual machine if you want or need to.

Requesting Just in time VM Access for Azure Virtual Machine

Request Just in time VM access

On the Configured section, you can select the VM you want to request access to and click on Request access. You can now select the ports you want to be open for a specific time and a specific IP address. This will open up the ports and after 2-3 minutes you will be able to access the virtual machine.

To send such a request, the user which requests access to the Virtual Machine needs to have write access to the virtual machines in the Azure Role-Based Access Control (RBAC).

Auditing Azure JIT VM access activity

Of course all the request get logged and can be reviewed in the Activity Log.

Licensing

Azure just in time VM access is licensed over Azure Security Center and needs the Standard Tier to be enabled for the specific virtual machine.

I hope this gives you an idea how you can leverage Just in time VM access in Azure for your workloads.



E2EVC Copenhagen

Speaking at E2EVC 2015 Lisbon

After a great time in the US visiting VeeamON 2015, the Microsoft MVP Summit 2015 and the MMS 2015, I am happy to announce that I will speak tomorrow at the E2EVC (Experts 2 Experts Virtualization Conference) in Lisbon. Together with Alex Cooper (Microsoft MVP Remote Desktop Services) and Dr. Benny Tritsch (Microsoft MVP Remote Desktop Services), I will speak in one of the keynote about updates in the Microsoft Virtualization Technology.

What’s new with Microsoft Virtualization & Remote Desktop Services – Windows Server 2016 T3 Update

We will cover what is new in Hyper-V, Remote Desktop Services and Azure RemoteApp.

E2EVC Virtualization Conference is a non-commercial, virtualization community event. The main goal of the E2EVC is to bring the best virtualization experts together to exchange knowledge and to establish new connections. E2EVC is a weekend crammed with presentations, Master Classes and discussions delivered by both virtualization vendors product teams and independent experts. I am happy to be part of the community and listen to other industry leading experts, hopefully see you in Lisbon.



Windows Server 2008: Allow multiple Remote Desktop sessions per user

In Windows Server 2003 you could have multiple Remote Desktop session with the same user. In Windows Server 2008 this is not possible by default. If you login with the same user account the first session will be taken over by second session.

But you can allow multiple Remote Desktop sessions per user by changing a registry key.

  1. Start regedit
  2. Check out the follwoing registry key
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer
  3. If the fSingleSessionPerUser value doesn’t exist, create a new DWORD value named fSingleSessionPerUser
  4. Open the fSingleSessionPerUser value. The possible values for this setting are as follows:
    0x0 Allow multiple sessions per user
    0x1 Force each user to a single session
  5. save this

Found this on remotedesktoprdp.com



Still love my iPad

iPad

I still love my iPad. Now I really start to work with it. It keeps my life simple and easy.

First I start with a daily briefing with my todos (Things) and events for today. I also read a lot of news with my Google Reader app (Newsrack) which also syncs with my iPhone, so I always see whats new around the tech world.

Through the day I need it to get quick information about tech or other stuff. I also use it for social networks like facebook, twitter and so on.

iPad iTap RDP

With Apps like iTap RDP I can use it to control Windows Server in our Datacenter and create and read notes with Evernote. There is also a pretty cool Powershell Guide for the iPhone and the iPad called iPowershell.

iPadAt home I use it as a Remote Controller for iTunes, my Dreambox and other things. And if I have a moment i don’t need it, I use it as a Picture frame.

Important to note, the iPad does not replace my notebook or my iPhone, but there are a lot of new things, I never thought about I could do this way.