PowerShell

PowerShell: Implementing Just-Enough-Administration (JEA), Step-by-Step

Have you always dreamed of fine-tuning permissions? PowerShell JEA makes it possible. The user only sees what he should see and can only do what he should do. With a few simple steps everything is ready. Let’s dive in.

What is JEA (Just-Enough-Administration)?

The main purpose of JEA is to limit privileges. We can specify what a user can do on a very granular basis. For example you want to restrict a user to restart the spooler service only, then go for JEA. Unfortunately, this only works with PowerShell. So for the following keep in mind, that the target user should not work with PowerShell for the first time.

What’s in this article?

In this article I will restrict the Active Directory user petra to running only Restart- Service spooler and whoami on DC01. For this I will use a Windows Server 2016 (DC01) that is configured as an Active Directory Domaincontroller for sid-500.com. Additionally, I will use a Windows 10 Workstation that is joined to the Domain sid-500.com. All tests are performed from this computer.

The article is divided into 4 steps:

  • Creating a PS Session Configuration File
  • Creating a folder for JEA
  • Creating a Capability File
  • Registering the Configuration

And finally Petra’s test. I think it’s time to get started now.

Creating a PS Session Configuration File for the Spooler Admins Group (pssc file)

It’s better if we create the file right away and talk about it later – if it’s already there. Sometimes it makes more sense to do the exercise first and then talk about what we are doing. 😉 And as usual on my blog – everything with screenshots.

I’m logged on my Domain Controller DC01.


New-PSSessionConfigurationFile -Path 'C:\Program Files\WindowsPowerShell\spooler_conf.pssc'

Unbenannt.PNG

What have we done now? A default file has been created. Let’s look into this file.


notepad 'C:\Program Files\WindowsPowerShell\spooler_conf.pssc'

1.PNG

In this file you can specify whether everything is to be logged and for which users or groups your configuration is to be made available. For changes remove the # from the lines.

My goal is that only users that are member of the Spooler_Admins group can restart the spooler service and run whoami. That means that I have to modify this file.

First I change the author. Unspectacular.

Unbenannt.PNG

Then I change the Session Type to RestrictedRemoteServer. This allows the execution of the following commands: Exit-PSSession, Get-Command, Get-FormatData, Get-Help, Measure-Object, Out-Default, and Select-Object.

Unbenannt.PNG

Afterwards I specify a logging folder (all user sessions will be logged in this folder with PowerShell transaction logging) and I activate the RunAsVirtualAccount feature (optional). If a user logs in the this user works with a temporary virtual account.

Make sure the Transcript Directory exists!

Unbenannt.PNG

Now we come to the most important part: Specifying the name of the Capability setting.

Unbenannt.PNG

Note that the name of the RoleCapabilities must match the file name in the third part.

Save the file and close it.

Creating a folder for JEA

In this part we create a folder for the JEA configuration file that will be used in the next part.


New-Item -Path 'C:\Program Files\WindowsPowerShell\Modules\JEA\RoleCapabilities' -ItemType Directory

Unbenannt.PNG

That’s it for this section.

Creating the PS Role Capability File for the Spooler Admins (psrc file)

This is the most interesting part. Here we configure what they are allowed to do. It’s important that you name this file spooler_admins. Remember we have configured the session configuration file to the role capabilities = spooler_admins!


New-PSRoleCapabilityFile -Path 'C:\Program Files\WindowsPowerShell\Modules\JEA\RoleCapabilities\spooler_admins.psrc'

Unbenannt.PNG

Next open the file.


notepad 'C:\Program Files\WindowsPowerShell\Modules\JEA\RoleCapabilities\spooler_admins.psrc'

1.PNG

Feel free to change the author, description and more. I’ll concentrate on the most important setting. We want to restrict the Spooler Admins that they can only run Restart-Service and the whoami command. For this I have to modify the Cmdlets section to make the appropriate command visible for the Spooler Admins group.

Unbenannt.PNG

Next I want to allow running whoami. Whoami is not a cmdlet, but an external command.

Unbenannt.PNG

That’s it. Save the file and close it.

Registering the Configuration

Finally, we have to activate the whole thing. Choose a name and enter the path to the config file. Make sure, that the group already exist!

Unbenannt.PNG


Register-PSSessionConfiguration -Name Spooler_Admins -Path 'C:\Program Files\WindowsPowerShell\spooler_conf.pssc'

Unbenannt.PNG

Readers know more. To make this work we have to restart the Windows Remote Management Service.


Restart-Service WinRM

We’re done. Now the test is coming up.

Testing the configuration

User petra is logged on a Windows 10 Computer that is joined to my domain. Remember that petra is member of the spooler_admins group. Let’s start.

Petra tries to log in via a PowerShell Remote Session. In order to to this, she has to specify the configuration name.


Enter-PSSession -ComputerName dc01 -ConfigurationName spooler_admins

Unbenannt.PNG

Surprise … surprise she’s in. But what is she allowed to do? Nice the Restart-Service is there.

Unbenannt.PNG

and the spooler restart works …

Unbenannt.PNG

Is she allowed to restart any other service? Nope.

Unbenannt.PNG

She should be able to run whoami …

Unbenannt.PNG

We’ve configured a transcription log … located at C:\Transcripts …

Unbenannt.PNG

That’s it. We’re done.

Conclusion

The only disadvantage of this nice security feature is that everything has to be done in PowerShell. As I have already mentioned in one of my contributions, my teaching experience is that 7/10 are still unfamiliar with PowerShell. Time to change it. 😉

Hope this was helpful and interesting.

4 replies »

  1. Hi!

    Thank you for your kind words.

    1) You can provide your scripts as an external command in the psrc file (see above). It’s similar to my whoami example in the article.

    2) Yes, I’ve implemented this in one of my environments. Install PowerShell Web Access (see my article) and provide them a Web Interface! They can then access your scripts from every device in form of a Web Interface.

    All the best,
    P

    Like

  2. Partick –

    I love this walk through. Although, I can’t get my head around 2 things.
    1) How would I configure this to have a group of help desk peeps run a few scripts I created for them.
    Is there a directory these scripts need to be in?
    Is there a configuration item i need to add to the conf file?
    Will there be any issues if the scripts are remote-ing into other machines?

    2) How do I deliver/present the powershell console to a user whom I’m not sure if they’ll have the rights to start a pssession remotely.
    Will these peeps need access to the Server?
    Any alternatives if they aren’t able to access the server through WinRm pssession

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s