HOTSPOT -
You are configuring just in time (JIT) VM access to a Windows Server 2019 Azure virtual machine.
You need to grant users PowerShell access to the virtual machine by using JIT VM access.
What should you configure? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Port is ok, but access is Read https://docs.microsoft.com/en-us/azure/security-center/just-in-time-explained#what-permissions-are-needed-to-configure-and-use-jit
The port number. By default a PowerShell agent uses port 5985 for a regular connection and 5986 for a secure connection. If you are using a different port for PowerShell in your environment, enter the required port number.
agreed it is read. "Request JIT access to a VM" is under read section.
First one should be Read
1. Read 2. 5986 https://learn.microsoft.com/en-us/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks#what-permissions-are-needed-to-configure-and-use-jit https://learn.microsoft.com/en-us/azure/defender-for-cloud/just-in-time-access-usage#enable-jit-on-your-vms-from-microsoft-defender-for-cloud The JIT VM access page opens listing the ports that Defender for Cloud recommends protecting: - 5986 - WinRM
Port 5986 : Windows Remote Management service (WinRM) over HTTPS Por 3389 : Remote Desktop Protocol (RDP) Port 22 : Secure Shell (SSH) Port 25 : Simple Mail Transfer Protocol (SMTP)
You need to grant users PowerShell access to the virtual machine by using JIT VM access. this isnt using powershell to grant the access but being able to use powershell through winRM hence the port is correct and write is correct as they would need to be able to run commands etc once access has been established.
Please note that the Write permission is necessary for users to make changes on the VM, and port 5986 is the default port for PowerShell remoting over HTTPS. The “Read” permission allows users to view the properties of a VM, but it doesn’t allow them to make changes. For Just-In-Time (JIT) VM access, users need to be able to request access, which involves making changes to the VM’s network security group rules. This requires the “Write” permission. Therefore, while “Read” permission is useful for viewing VM properties, it’s not sufficient for configuring JIT VM access. The “Write” permission is necessary for this task. Permission that must be granted to users on VM: Write TCP port that must be allowed: 5986
Read, 5986
Read permission is to request JIT access, however, for the host to allow connection - doesn't she need write?
READ/5986 (WinRM) not RDP Port\
Absolutely agree...Box1: READ and Box2: 5986 (WinRM 2.0 (Microsoft Windows Remote Management).
#exam ques # 29 Sep
Request JIT access to a VM Assign these actions to the user: Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action Microsoft.Security/locations/jitNetworkAccessPolicies/*/read Microsoft.Compute/virtualMachines/read Microsoft.Network/networkInterfaces/*/read Microsoft.Network/publicIPAddresses/read https://learn.microsoft.com/en-us/azure/defender-for-cloud/just-in-time-access-usage
READ 5986
question is asking what permission is required for powershell access not for the JIT. So the answer should be write not read.
I think it's "read" just on the basis that it's about requesting JIT access. I believe the wording "access on the machine" is just badly written and should be "access to the machine"
Port is 22 and Read access https://learn.microsoft.com/en-us/azure/defender-for-cloud/just-in-time-access-usage#request-access-to-a-jit-enabled-vm-using-powershell
Request JIT to a VM requires READ access on VM, not write as per docs that jpons pointed at. Port for WinRM over HTTPs is 5986 (5985 would be for plain unencrypted HTTP So: READ 5986
Everyone keeps posting that Read is the permission to request JIT access. And that is true, but that isn't the question is it? Isn't the question asking what permission is needed to run powershell once the connection is made?
Look at that phrase, it's badly written. In English it would be "on the VM" not "on VM". So I think the just badly copied it and it actually should say "access to the VM". In which case it's "read".
Read , 5986