![]() ![]() You might have heard the term “bastion” in the Azure world recently. ![]() It does not require the user of the PC to SSH or RDP into the remote VM, or to even have any guest OS access! You can put a firewall in front of the remote virtual machines, but it will do no good it’s still allowing TCP 3389 or TCP 22 directly into the virtual machines and all it will offer is logging of the attack. That means that if malware gets onto your network, and that malware scans the network for open TCP 22 or TCP 3389 ports, it will attempt to use the vulnerability to compromise the remote VM. If that PC has the ability to communicate with a remote VM, such as an Azure Windows/Linux VM, via SSH or RDP then that remote machine is vulnerable to a pre-authentication attack. Let’s say that you have a PC on your WAN that is infected by malware that leverages a known or zero-day pre-authentication remote desktop vulnerability. Over the last few months, I can think of 3 security alerts that have been released about pre-authentication vulnerabilities that have been found in Remote Desktop. I can’t comment too much on SSH because I’m allergic to penguins. Since JIT VM Access was changed, it moves the last rule (if necessary) and puts in the allow-RDP or all-SSH (or whatever) rule after the DenyAll rule which is useless. That means that the last user-defined NSG rule is Deny All from * to *. In my work, every subnet is micro-segmented. That was until they changed how the allow (RDP, SSH, etc) rules were added to an NSG. There are still many times when you need to directly log into a machine and do something that’s real life, and not some blogger’s lab life. “You should be using Windows Admin Center”. “This is why you should use remote Bash|PowerShell scripting” Some people are going to make some comments like: And this advice also includes machines that you run in a cloud, such as Microsoft Azure. This post will explain why you should use a “Bastion Host” or a “Jump Box” to securely remote into Linux (SSH) or Windows (Remote Desktop) virtual machines. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |