Tag Archives: Privileged Identity Management

Just Enough Administration (JEA)

I was off from blogging for few months as I had to spend my free time on another task which will help all of you more. Stay tuned! More info will share soon. Anyway, I am back on blogging!

JEA was first introduced in 2014 and it was the first approach towards the privilege access management comes with windows server 2016. JEA allows to provides role based privileges instead of full administrative privileges.

Peter is working in 2nd line support. Every month he needs to run script against helpdesk system to create custom report which indicates monthly support tickets progress. In order to do that he log in to helpdesk server and run the script. This script needs to run as administrator of the server. there for he is member of administrator group. However, this is the only task he run on that server with such privileges. Administrator of a server has privileges to do almost anything on the server. if someone else got access to peter’s account, nothing will prevent from changing entire helpdesk system. Using JEA, we can assign just enough privileges for peter to run the scripts from helpdesk host instead of giving administrator privileges. Privileges assigned for peter is only valid for helpdesk server and he cannot run same script from another server.

There are few limitations with JEA,

  • This is fully worked with PowerShell. Not everyone uses PowerShell.
  •  Not supported with each and every management tasks. If you working with script which works with multiple hosts it will difficult to use JEA.
  • Not every third-party application support to work with JEA.

If above limitations stopping you, most suitable solution with be the privileged access management with windows server 2016. Privileged access management will be covered in later blog post.

There are two components in JEA,

PowerShell Session Configuration file

This allows to map users to the hosts. Using it we can map users, groups to specific management roles. It also allows to configure global settings such as virtual accounts and transcription policies. PowerShell Session Configuration file is system specific. There for, configuration settings can apply per-host basis.

Role Capability files

These configuration files specify what actions can perform by the users. It can be a running a script, running a service, running cmdlets or running a program. These tasks can group in to roles and share it with other users. 

Configuration

In this demo, I am using a system with windows server 2016 with latest updates.

In order to install JEA, we need to log in to the system as local administrator and open the PowerShell.

1. Then run command, Install-Module xJEA. It will ask few questions before it import some modules. Provide appropriate answers to install them.

jea1

2. Once its completed we can confirm it using Find-Module –Name xJEA

jea2

3. Once JEA module installed and next step is to prepare the environment. It can be done using a script which comes with JEA module. it is located at, C:\Program Files\WindowsPowerShell\Modules\xJea\0.2.16.6\Examples\SetupJEA.ps1

This script will,

·         Removes all existing endpoint configuration from the host

·         Configure the DSC Local Configuration Manager to apply changes, then checks every 30 minutes to make sure the configuration has not altered

·         Enables Debug mode

To run the file, navigate to folder C:\Program Files\WindowsPowerShell\Modules\xJea\0.2.16.6\Examples\ and run .\SetupJEA.ps1

jea3

That’s it! we done the installation and initial configuration. 

Testing!

JEA installation comes with 3 demo endpoint configurations which we can use as reference to create endpoint. These demo files are located in C:\Program Files\WindowsPowerShell\Modules\xJea\0.2.16.6\Examples

Demo1.ps1

cls

 

configuration Demo1

{

    Import-DscResource -module xjea

    xJeaToolKit Process

    {

        Name         = 'Process'

        CommandSpecs = @"

Name,Parameter,ValidateSet,ValidatePattern

Get-Process

Get-Service

Stop-Process,Name,calc;notepad

Restart-Service,Name,,^A

"@

    }

    xJeaEndPoint Demo1EP

    {

        Name                   = 'Demo1EP'

        Toolkit                = 'Process'

        SecurityDescriptorSddl = 'O:NSG:BAD:P(A;;GX;;;WD)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)'                                 

        DependsOn              = '[xJeaToolKit]Process'

    }

}

Demo1 -OutputPath C:\JeaDemo

 

Start-DscConfiguration -Path C:\JeaDemo -ComputerName localhost -Verbose -wait -debug -ErrorAction SilentlyContinue -ErrorVariable errors

if($errors | ? FullyQualifiedErrorId -ne 'HRESULT 0x803381fa')

{

    $errors | Write-Error     

}

 

start-sleep -Seconds 30 #Wait for WINRM to restart

 

$s = New-PSSession -cn . -ConfigurationName Demo1EP

Invoke-command $s {get-command} |out-string

Invoke-Command $s {get-command stop-process -Syntax}

# Enter-pssession $s

 

Remove-PSSession $s

#EOF

As per the above it only allowed to use following cmdlets.

  • Default JEA configuration
  • Get-Process
  • Get-Service
  • Stop-Process,Name,calc;notepad
  • Restart-Service,Name

According to above Stop-Process cmdlet only can use to stop calculator and notepad process. But it allows to use Restart-Service, Get-Process, Get-Service cmdlets.

In order to run the demo config, navigate to C:\Program Files\WindowsPowerShell\Modules\xJea\0.2.16.6\Examples and run .\Demo1.ps1

jea4

Once its successfully execute, we can verify the new PowerShell session configuration using,

Get-PSSessionConfiguration

jea5

In order to test, now we need to connect to new endpoint. It can be done using

Enter-PSSession –ComputerName localhost –ConfigurationName demo1ep

In above –ConfigurationName defines the endpoint name.

As soon as I run the command, its connect to the endpoint and change the path to C:\Users\JSA-Demo1EP\Documents

jea6

in the backend JEA commands execute using JEA local administrator account. This login details no need to know by end users and its password been reset on daily basis automatically. This user is setup as part of the installation process by JEA.

jea7

jea8

Once session is connected, we can test it with an allowed command first. According to configuration we allowed to run Get-Service command without any limits.

jea9

The use I logged in to this computer is a local administrator. So, I have enough privileges to restart the computer using Restart-Computer cmdlet. But now I am connected to endpoint. According to endpoint config it should not allow me to do so.

jea10

Voila! It is working as expected. there are lot of channel9 videos, articles out there which discuss about JEA capabilities. I encourage you to go through them and get more understanding on this great tool. Also through the GitHub you can find lot of sample endpoint configurations.

Hope this post was helpful and if you have any question contact me on rebeladm@live.com

STEP-BY-STEP GUIDE TO AZURE AD PRIVILEGED IDENTITY MANAGEMENT – PART 2

In my previous post on this series I have explain about azure AD privileged identity management including its features and how to get it enabled. If you not read it yet you can find it using this link.

in this post I am going to show you more of its features and capabilities. 

How to manage privileged roles?

The main point of the identity management is that administrators will have the required privileges when they needed. In part 1 of the post billing administrators and service administrator roles were eligible for the Identity management. So it will remove its permanent permissions which is assigned to role. 

So if you still need to make one of the account permanent administrator let’s see how we can do it. 

Log in to the azure portal as global administrator (it should be associated with relevant AD instance)

Open the azure identity management from portal

idm2-1

Then click on managed privileged roles

idm2-2

In next page it will list down the summary of the roles. Let’s assume we need to make one of the billing administrators “permanent”. To do that click on billing administrators

idm2-3

It will list down the users which is eligible for the role and click on the account you need to make permanent. 

idm2-4

Then click on more in next page and click on option make perm

idm2-5

Once completed its shows as permanent

idm2-6

Same way we can add an administrator to the roles. To do it go to roles, if you need to add new role it can do too. Click on roles on the manage privileges roles page

idm2-10roles

Then click on add

idm2-11roles

Then from roles click on the role you going to add

idm2-12roles

Then under the select users, select the user using search and click on done

idm2-13roles

 

How to activate roles?

Now we have the roles but how we can use them with time bound activation (Just in time administration

Go to the role page again like in previous page. In my demo I am going to use service administrator role

Then click on settings

idm2-7

In next window we can see that option to define the time. Also we can enable notifications so email notification will send to admin in event of role activation. Also option to request ticket or incident number. This is important to justify the privileged access. Also can use the multifactor authentication in activation to make sure the request is legitimate. 

idm2-8

idm2-9

Once you satisfied with settings, click on save to apply. 

Then for the testing I logged in as the security administrator to the azure portal. 

idm2-14

Then go to the privileged identity management page

Click on the service administrator 

idm2-15

Then click on the activate button, to activate the role

idm2-16

According to the settings its asking for ticket number for activation. Once put the information click on ok

idm2-17

Perfect, now its saying when it expires and it also shows the that roles been activated

idm2-18

Now I change the login and logged back as global administrator.

Then if go to privileged management page and click on audit history you can see all the events. 

idm2-19

idm2-20

Hope this series add knowledge about azure AD privileged identity management and if you have any questions feel free to contact me on rebeladm@live.com

Step-by-Step Guide to Azure AD Privileged Identity Management – Part 1

Privileged Identity Management is boarder topic to discuss with. First thing first do not think it as another feature or product from Microsoft. The way I see it as a lot of methodologies, technologies came together and making a new process. I am saying it because with this concept we need to rethink about how current identities been managed in infrastructure. Administrators, users need to change the way they think about the permissions. 

In any infrastructure we have different type of administrators. It can be domain administrators, local administrators, service administrators. If its hybrid setup it may have cloud administrators too. The question is do you have fully control over these accounts and its permissions? do you aware of their activities using these permissions? how do you know it’s not been compromised already? If I say solution is to revoke these administrator privileges yes it will work but problem is how much additional work to restore this permission when needed? and also how practical it is? it’s also have a social impact too, if you walk down to your users and say that I’m going to revoke your admin privileges what will be their response? 

Privileged access management is not a new topic it’s been in industry for long but problem is still not lot considering about it. Microsoft step up and introduce new products, concepts to bring it forward again as this is definitely needed in current infrastructures to address modern threats towards identities. The good thing about this new tools and technologies, its more automated and the user accounts will have the required permissions whenever they needed. In your infrastructure this can achieve using Microsoft identity manager 2016 but need lot more work with new concepts which I will explain in future posts. Microsoft introduce same concept to the azure cloud as well. In this post we going to look in to this new feature. 

Using azure privileged identity management, we can manage, control and monitor the permissions to the azure resources such as azure AD, office 365, intune and SaaS applications. Identity management will help to do following,

Identify the current azure AD administrators your azure subscriptions have

Just-in-Time administration – This is something I really like. Now you can assign administration permissions on demand for period of time. For example, user A can be office 365 administrator for 11am to 12pm. Once the time limit reach system will revoke the administrator privileges automatically

Reports to view the privileged accounts access history and changes in administrator assignments

Alerts when access to privileged role

Azure AD privileged identity management can manage following organizational roles,

Global Administrator – Has access to all administrative features. The person who signs up for the Azure account becomes a global administrator. Only global administrators can assign other administrator roles. There can be more than one global administrator at your company.

Billing Administrator – Makes purchases, manages subscriptions, manages support tickets, and monitors service health.

Service Administrator – Manages service requests and monitors service health.

User Administrator – Resets passwords, monitors service health, and manages user accounts, user groups, and service requests. Some limitations apply to the permissions of a user management administrator. For example, they cannot delete a global administrator or create other administrators. Also, they cannot reset passwords for billing, global, and service administrators.

Password Administrator – Resets passwords, manages service requests, and monitors service health. Password administrators can reset passwords only for users and other password administrators.

Let’s see how to enable azure AD privileged identity management,
Before start make sure you got global administrator privileges to the azure AD directory that you going to enable this feature.
 
1) Log in to the azure portal as global administrator
2) Go to New > Security + Identity > Azure AD privileged identity management 
 
aim1
 
3) Then click on create to start the process
 
aim2
 
4) In first step it will identify the privileged roles exist in current directory. In my demo I have 3 roles. In same page you can view what are these accounts by clicking on each role. After review click on next
 
aim3
 
5) In next window its list which accounts eligible for activate the roles. Select the account you want and click on next
 
aim4
 
6) In next window can review the changes. As per my selection only one account will remain as permanent admin. To complete click on OK
 
aim5
 
7) Once it’s done, you can load the console from the dashboard. 
 
aim6
 
In part 2 of the post I will explain what we can do with it in details. 
If you got any questions feel free to contact me on rebeladm@live.com
 
Reference :  https://azure.microsoft.com/en-us/documentation/articles/active-directory-privileged-identity-management-configure/