Just Enough Administration (JEA)

I was off from blogging for few months as I had to spend my free time on another task which will help all of you more. Stay tuned! More info will share soon. Anyway, I am back on blogging!

JEA was first introduced in 2014 and it was the first approach towards the privilege access management comes with windows server 2016. JEA allows to provides role based privileges instead of full administrative privileges.

Peter is working in 2nd line support. Every month he needs to run script against helpdesk system to create custom report which indicates monthly support tickets progress. In order to do that he log in to helpdesk server and run the script. This script needs to run as administrator of the server. there for he is member of administrator group. However, this is the only task he run on that server with such privileges. Administrator of a server has privileges to do almost anything on the server. if someone else got access to peter’s account, nothing will prevent from changing entire helpdesk system. Using JEA, we can assign just enough privileges for peter to run the scripts from helpdesk host instead of giving administrator privileges. Privileges assigned for peter is only valid for helpdesk server and he cannot run same script from another server.

There are few limitations with JEA,

  • This is fully worked with PowerShell. Not everyone uses PowerShell.
  •  Not supported with each and every management tasks. If you working with script which works with multiple hosts it will difficult to use JEA.
  • Not every third-party application support to work with JEA.

If above limitations stopping you, most suitable solution with be the privileged access management with windows server 2016. Privileged access management will be covered in later blog post.

There are two components in JEA,

PowerShell Session Configuration file

This allows to map users to the hosts. Using it we can map users, groups to specific management roles. It also allows to configure global settings such as virtual accounts and transcription policies. PowerShell Session Configuration file is system specific. There for, configuration settings can apply per-host basis.

Role Capability files

These configuration files specify what actions can perform by the users. It can be a running a script, running a service, running cmdlets or running a program. These tasks can group in to roles and share it with other users. 

Configuration

In this demo, I am using a system with windows server 2016 with latest updates.

In order to install JEA, we need to log in to the system as local administrator and open the PowerShell.

1. Then run command, Install-Module xJEA. It will ask few questions before it import some modules. Provide appropriate answers to install them.

jea1

2. Once its completed we can confirm it using Find-Module –Name xJEA

jea2

3. Once JEA module installed and next step is to prepare the environment. It can be done using a script which comes with JEA module. it is located at, C:\Program Files\WindowsPowerShell\Modules\xJea\0.2.16.6\Examples\SetupJEA.ps1

This script will,

·         Removes all existing endpoint configuration from the host

·         Configure the DSC Local Configuration Manager to apply changes, then checks every 30 minutes to make sure the configuration has not altered

·         Enables Debug mode

To run the file, navigate to folder C:\Program Files\WindowsPowerShell\Modules\xJea\0.2.16.6\Examples\ and run .\SetupJEA.ps1

jea3

That’s it! we done the installation and initial configuration. 

Testing!

JEA installation comes with 3 demo endpoint configurations which we can use as reference to create endpoint. These demo files are located in C:\Program Files\WindowsPowerShell\Modules\xJea\0.2.16.6\Examples

Demo1.ps1

cls

 

configuration Demo1

{

    Import-DscResource -module xjea

    xJeaToolKit Process

    {

        Name         = 'Process'

        CommandSpecs = @"

Name,Parameter,ValidateSet,ValidatePattern

Get-Process

Get-Service

Stop-Process,Name,calc;notepad

Restart-Service,Name,,^A

"@

    }

    xJeaEndPoint Demo1EP

    {

        Name                   = 'Demo1EP'

        Toolkit                = 'Process'

        SecurityDescriptorSddl = 'O:NSG:BAD:P(A;;GX;;;WD)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)'                                 

        DependsOn              = '[xJeaToolKit]Process'

    }

}

Demo1 -OutputPath C:\JeaDemo

 

Start-DscConfiguration -Path C:\JeaDemo -ComputerName localhost -Verbose -wait -debug -ErrorAction SilentlyContinue -ErrorVariable errors

if($errors | ? FullyQualifiedErrorId -ne 'HRESULT 0x803381fa')

{

    $errors | Write-Error     

}

 

start-sleep -Seconds 30 #Wait for WINRM to restart

 

$s = New-PSSession -cn . -ConfigurationName Demo1EP

Invoke-command $s {get-command} |out-string

Invoke-Command $s {get-command stop-process -Syntax}

# Enter-pssession $s

 

Remove-PSSession $s

#EOF

As per the above it only allowed to use following cmdlets.

  • Default JEA configuration
  • Get-Process
  • Get-Service
  • Stop-Process,Name,calc;notepad
  • Restart-Service,Name

According to above Stop-Process cmdlet only can use to stop calculator and notepad process. But it allows to use Restart-Service, Get-Process, Get-Service cmdlets.

In order to run the demo config, navigate to C:\Program Files\WindowsPowerShell\Modules\xJea\0.2.16.6\Examples and run .\Demo1.ps1

jea4

Once its successfully execute, we can verify the new PowerShell session configuration using,

Get-PSSessionConfiguration

jea5

In order to test, now we need to connect to new endpoint. It can be done using

Enter-PSSession –ComputerName localhost –ConfigurationName demo1ep

In above –ConfigurationName defines the endpoint name.

As soon as I run the command, its connect to the endpoint and change the path to C:\Users\JSA-Demo1EP\Documents

jea6

in the backend JEA commands execute using JEA local administrator account. This login details no need to know by end users and its password been reset on daily basis automatically. This user is setup as part of the installation process by JEA.

jea7

jea8

Once session is connected, we can test it with an allowed command first. According to configuration we allowed to run Get-Service command without any limits.

jea9

The use I logged in to this computer is a local administrator. So, I have enough privileges to restart the computer using Restart-Computer cmdlet. But now I am connected to endpoint. According to endpoint config it should not allow me to do so.

jea10

Voila! It is working as expected. there are lot of channel9 videos, articles out there which discuss about JEA capabilities. I encourage you to go through them and get more understanding on this great tool. Also through the GitHub you can find lot of sample endpoint configurations.

Hope this post was helpful and if you have any question contact me on rebeladm@live.com

Share and Enjoy:
  • Print
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • LinkedIn
  • Live
  • RSS
  • StumbleUpon
  • Twitter

Leave a Reply

Your email address will not be published. Required fields are marked *

*