Just-in-time access to remote into servers

Hi all, wondering what you all use for JIT remote access for your technical teams/system admins? Looking for recommendations.

Our current setup: each tech has a separate admin account which always has admin access to our fleet of servers (hybrid on-prem and cloud). The passwords on each admin account are auto-generated, super long and rotated monthly. From a network/firewall perspective, all remote access is blocked except from our Beyond Trust broker systems (jumpboxes essentially).

The downsides to our current setup are:
- It's frustrating for admins to have to remote into all servers via the Beyond Trust platform and the broker servers. Clunky/cumbersome and hinders productivity when you're working on many servers at once.
- Our accounts are still admin all the time on the servers.

What I want to change it to:
- I want an Azure-PIM like system where an admin can request approval to elevate their admin account to all servers (or subsets/groups of servers) for a limited period of time (1-4 hours for example).
- Different settings / approval process for groups of servers (e.g. Production mission critical vs. test/dev should have different approval workflows, length of time, etc.)
- Admin accounts are elevated to be local admin on the servers at time of approval and removed after the time limit.
- Once approved, techs should be able to remote in to the approved servers from their own workstation/laptop using their own tools, rather than having to use a broker/jumpbox.

I've read that Azure Arc might have this capability, working in conjunction with Defender for Cloud Server, but am still a bit unclear on the technicals. I'm sure there are other platforms out there that do this? What do you use? submitted by /u/squishmike
[link] [comments]


http://dlvr.it/T8jQcq