News

New Microsoft Tool Locks Down Virtual Machine Access in Azure

It's one of several security and management tools released in preview mode this week.

Microsoft is tightening access to virtual machines running on Azure.

The security measure, called Just-in-Time VM Access, is a new tool that's now in preview. Microsoft also unveiled a "private preview" of PowerShell within its Azure Cloud Shell browser-based management solution.

Just-in-Time VM Access Preview
Just-in-Time VM Access is a security measure that limits IT pro user access to virtual machines running on Azure infrastructure. Instead of just leaving open access to a port, IT pros request access to the virtual machine using this service. Access permission details get set up beforehand via a "blade" within the Azure Security Center portal or by using PowerShell scripts.

The Just-in-Time VM Access feature provides access to a port for an "approved amount of time, from approved IP addresses, and only for users with proper permissions," explained Ben Kliger, a senior product manager on the Azure team, in an announcement.

The requests for Azure virtual machine access get housed in the Azure Activity Log for auditing purposes. Kliger explained that anyone who has "the right permissions," based on Azure Role-based Access Control settings, are able to request access to an Azure virtual machine, but the settings in the Just-in-Time VM Access feature will determine what those users can access and for how long.

The preview of the Just-in-Time VM Access feature can be tested for free for 60 days. When it becomes commercially available, it'll be offered under the Azure Security Center standard pricing.

Azure Cloud Shell Preview
Microsoft this week also talked about its browser-based Azure Cloud Shell management solution. The solution has been at the preview stage since December, and Microsoft highlighted the ability to access the Linux Bash shell preview within the Azure Cloud Shell back in May. The Azure Cloud Shell now includes a new Azure PowerShell capability, but it's currently at the private preview stage, requiring sign-up to use it, Microsoft announced this week.

Users launch the Azure Cloud Shell from the Azure Portal within a browser. It's accessed using the ">_" button that's located in the upper right corner of the portal. The browser-based management solution also has support for the Azure Command Line Interface 2.0, and other "commonly used CLI tools such as kubectl, git, Azure tools, text editors, and more," according to Microsoft's announcement. It supports .NET, Node.js and Python programming languages.

In addition to being able to access Azure Cloud Shell preview from within a browser, it's also accessible on mobile devices using the Azure Mobile App. The Azure Cloud Shell preview is even accessible from Microsoft's various documents pages, according to a Microsoft Mechanics video.

Azure Security Center Pattern Detection
Microsoft this week also explained in a blog post a little more about what sort of threats organizations may face when using Azure services and how the Azure Security Center comes into play. The Azure Security Center, which had its debut in 2015, is accessed through the Azure Portal and monitors Azure services and other public cloud services, such as Amazon Web Services, providing alerts on detected threats.

The Azure Security Center is also being used to detect patterns when certain nonmalicious tools get used, which may indicate attacks, explained Sajva Halverson, in Microsoft's blog post. The use of such tools isn't typically marked out by antivirus software, he added. Halverson works on the cloud security investigations and intelligence team at Microsoft.

Halverson cited scanner tools such as KpostScan, Masscan, xDedicIPScanner and Pastebin D3vSpider as tools that are being used for attack purposes, even though "most of these tools were not written maliciously." He added, though, that "from our observations, xDedicIPScanner appears to be primarily used maliciously."

The tools are used to check for open ports. Pastebin D3vSpider is used to store text for attack purposes, such as using stolen passwords. The tools possibly get dropped on compromised machines using messaging applications, and could be used in combination with other tools, such as NLBrute, "which is a known RDP Brute Force Tool," Halverson explained.

Organizations can take a few countermeasures against Azure attacks. They can review logs, checking for applications that haven't been installed by administrators. Azure Security Center will identify "configurations that do not align with the recommended rules." IT pros also can run full antimalware scans and they can avoid the use of "cracked software," which brings the "unwanted risk of malware and other threats that are associated with pirated software," Halverson indicated.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

Subscribe on YouTube