Cloud VMs: Understanding and Securing the Multiple Routes to Privileged Access

Webinar Registration

How many different ways are there to get privileged access to a VM running in the cloud? Let’s use Azure as an example.

First, of course, there’s RDP or SSH access to the VM using its public IP address if you are using the default network configuration of Azure VMs where the cloud allocates a dynamic Internet IP address when the VM boots. The VM itself doesn’t know about this IP address – instead Azure uses reverse-NAT and port forwarding to get RDP/SSH traffic to the private IP the VM has on whichever virtual network that VM is connected to. But think about all the other ways.

Continuing with RDP and SSH, unless you’ve setup Network Security Group rules in Azure, or a host firewall on the VM’s guest OS to prevent it, any other VM on the same virtual network or connected virtual networks can remote into the VM we’re discussing. If you have ExpressRoute or VPN connections between your on-prem network and the Azure virtual network, you can probably access remote into the VM from there too. And of course, depending on the guest OS, there are other management interfaces. Windows for instance may allow WMI, Win32 remote APIs via RPC, PowerShell remoting and so on.

But less commonly understood are indirect methods to get a privileged session on a cloud-based VM. You can run commands inside a VM – sometimes without any credentials valid on that VM. How is this possible? It relies on the integration agent Azure (and other clouds) run inside of each VM. This agent can run scripts and commands requested by the cloud infrastructure. In the case of Azure, you can use:

  • Custom Script Extension
  • Run Command
  • Hybrid Runbook Worker
  • Serial Console

It turns out there are several different planes of control on cloud-based VMs and more than one type of user account and permission that governs access. As the number of VMs in the cloud grows, managing and securing privileged access on all planes of control becomes increasingly important but also more complicated.

In this webinar, we will examine all the routes to get privileged access to a VM. We’ll identify:

  • What type of account and permission is used to authenticate the session?
  • What options do you have to limiting network access?
  • Where is the audit trail and what form does the log events take?
  • Where are the controls to ensure this route is protected?

We’ve got a great sponsor for this real-training-for-free™ session – BeyondTrust’s Duane Simms will show you how their privilege management technology allows you to protect privileged access to all your systems whether in the cloud or on prem – whether short-lived, transient VMS or long-term, permanent systems.

Please join us for this real training for free event.

First Name:   
Last Name:   
Work Email:  
Phone:  
Organization:  
Country:    
State:  
Company size:
I'd like to schedule a personalized demo with a BeyondTrust rep for:
 

Your information will be shared with the sponsor.

By clicking "Submit", you're agreeing to our Privacy Policy and consenting to be contacted by us.

 

 

Additional Resources