Security Center default policy setting “Monitor JIT Network Access” should be enabled

Description

Enable JIT Network Access for virtual machines. When this setting is enabled, Security Center locks down inbound traffic to the Azure VMs by creating an NSG rule. The user can select the ports on the VM where inbound traffic should be locked down. Just in time virtual machine (VM) access can be used to lock down inbound traffic to the Azure VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed.

Portal Remediation Steps

  • Navigate to Azure Policy.

  • Select the subscription and click Edit assignment.

  • Select Parameters.

  • In Management ports of virtual machines should be protected with just-in-time network access control, select AuditIfNotExists.

  • Click Review + save > save.

CLI Remediation Steps

  • Remediation is not possible via the CLI.