Tag Archives: Security

Just Enough Administration (JEA)

I was off from blogging for few months as I had to spend my free time on another task which will help all of you more. Stay tuned! More info will share soon. Anyway, I am back on blogging!

JEA was first introduced in 2014 and it was the first approach towards the privilege access management comes with windows server 2016. JEA allows to provides role based privileges instead of full administrative privileges.

Peter is working in 2nd line support. Every month he needs to run script against helpdesk system to create custom report which indicates monthly support tickets progress. In order to do that he log in to helpdesk server and run the script. This script needs to run as administrator of the server. there for he is member of administrator group. However, this is the only task he run on that server with such privileges. Administrator of a server has privileges to do almost anything on the server. if someone else got access to peter’s account, nothing will prevent from changing entire helpdesk system. Using JEA, we can assign just enough privileges for peter to run the scripts from helpdesk host instead of giving administrator privileges. Privileges assigned for peter is only valid for helpdesk server and he cannot run same script from another server.

There are few limitations with JEA,

  • This is fully worked with PowerShell. Not everyone uses PowerShell.
  •  Not supported with each and every management tasks. If you working with script which works with multiple hosts it will difficult to use JEA.
  • Not every third-party application support to work with JEA.

If above limitations stopping you, most suitable solution with be the privileged access management with windows server 2016. Privileged access management will be covered in later blog post.

There are two components in JEA,

PowerShell Session Configuration file

This allows to map users to the hosts. Using it we can map users, groups to specific management roles. It also allows to configure global settings such as virtual accounts and transcription policies. PowerShell Session Configuration file is system specific. There for, configuration settings can apply per-host basis.

Role Capability files

These configuration files specify what actions can perform by the users. It can be a running a script, running a service, running cmdlets or running a program. These tasks can group in to roles and share it with other users. 


In this demo, I am using a system with windows server 2016 with latest updates.

In order to install JEA, we need to log in to the system as local administrator and open the PowerShell.

1. Then run command, Install-Module xJEA. It will ask few questions before it import some modules. Provide appropriate answers to install them.


2. Once its completed we can confirm it using Find-Module –Name xJEA


3. Once JEA module installed and next step is to prepare the environment. It can be done using a script which comes with JEA module. it is located at, C:\Program Files\WindowsPowerShell\Modules\xJea\\Examples\SetupJEA.ps1

This script will,

·         Removes all existing endpoint configuration from the host

·         Configure the DSC Local Configuration Manager to apply changes, then checks every 30 minutes to make sure the configuration has not altered

·         Enables Debug mode

To run the file, navigate to folder C:\Program Files\WindowsPowerShell\Modules\xJea\\Examples\ and run .\SetupJEA.ps1


That’s it! we done the installation and initial configuration. 


JEA installation comes with 3 demo endpoint configurations which we can use as reference to create endpoint. These demo files are located in C:\Program Files\WindowsPowerShell\Modules\xJea\\Examples




configuration Demo1


    Import-DscResource -module xjea

    xJeaToolKit Process


        Name         = 'Process'

        CommandSpecs = @"








    xJeaEndPoint Demo1EP


        Name                   = 'Demo1EP'

        Toolkit                = 'Process'

        SecurityDescriptorSddl = 'O:NSG:BAD:P(A;;GX;;;WD)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)'                                 

        DependsOn              = '[xJeaToolKit]Process'



Demo1 -OutputPath C:\JeaDemo


Start-DscConfiguration -Path C:\JeaDemo -ComputerName localhost -Verbose -wait -debug -ErrorAction SilentlyContinue -ErrorVariable errors

if($errors | ? FullyQualifiedErrorId -ne 'HRESULT 0x803381fa')


    $errors | Write-Error     



start-sleep -Seconds 30 #Wait for WINRM to restart


$s = New-PSSession -cn . -ConfigurationName Demo1EP

Invoke-command $s {get-command} |out-string

Invoke-Command $s {get-command stop-process -Syntax}

# Enter-pssession $s


Remove-PSSession $s


As per the above it only allowed to use following cmdlets.

  • Default JEA configuration
  • Get-Process
  • Get-Service
  • Stop-Process,Name,calc;notepad
  • Restart-Service,Name

According to above Stop-Process cmdlet only can use to stop calculator and notepad process. But it allows to use Restart-Service, Get-Process, Get-Service cmdlets.

In order to run the demo config, navigate to C:\Program Files\WindowsPowerShell\Modules\xJea\\Examples and run .\Demo1.ps1


Once its successfully execute, we can verify the new PowerShell session configuration using,



In order to test, now we need to connect to new endpoint. It can be done using

Enter-PSSession –ComputerName localhost –ConfigurationName demo1ep

In above –ConfigurationName defines the endpoint name.

As soon as I run the command, its connect to the endpoint and change the path to C:\Users\JSA-Demo1EP\Documents


in the backend JEA commands execute using JEA local administrator account. This login details no need to know by end users and its password been reset on daily basis automatically. This user is setup as part of the installation process by JEA.



Once session is connected, we can test it with an allowed command first. According to configuration we allowed to run Get-Service command without any limits.


The use I logged in to this computer is a local administrator. So, I have enough privileges to restart the computer using Restart-Computer cmdlet. But now I am connected to endpoint. According to endpoint config it should not allow me to do so.


Voila! It is working as expected. there are lot of channel9 videos, articles out there which discuss about JEA capabilities. I encourage you to go through them and get more understanding on this great tool. Also through the GitHub you can find lot of sample endpoint configurations.

Hope this post was helpful and if you have any question contact me on rebeladm@live.com

Restricted Admin Mode for Remote Desktop Connections

Security”, it’s always a concern in any computer infrastructure. Most of the time giving the “technology” is not enough to maintain security in infrastructure. It’s depend on the way users, admins apply these tools and practices in their infrastructure.

Now a “hacking” question! If someone wants to hack your infrastructure what is the way to start? What account privileges can do the more damage? Yes it must be domain admin account (well some may not agree, I will be discussing about privileged access management in future posts in detail). But most admin like to keep them secure. If someone trying to login those accounts you may notice quickly. But will you apply same security to your sales computers? Or receptionist? In lot of infrastructure I seen people use company ID as the user name and password most of the time same as they like to keep this simple. So isn’t those easy to get in to your infrastructure rather than through a “server”? So if attacker fill that pc with junk, delete apps etc. the user will call up the admin to help. Most of time support engineers have domain admin privileges for “easy support”. When they RDP to the pc to help the user, the attacker in back ground can harvest the credentials of the admin user because when connect via RDP the credentials of the admin user will transmitting to the pc. The above example is just one way, even it can apply for your servers, cloud VM etc.

So question is what is the secure way then?

Yes Microsoft seen this issue and introduced Restrict Admin mode for RDP connections. This is applies to windows server 2012 R2 and new. Supported desktop OS version are windows 8.1 and new.

What is it?

When this mode is enabled the RDP client will not send plain-text or any other re-usable form of credentials to the remote PC or Server.

Also will not be able to use any other network resources from that pc or server through restricted admin mode connection with out authentication again.

For ex- to daisy chain the RDP connections, Network Drive access
Also it will effect on the applications specially if you use single-sign-on.

Enable Restricted Admin mode in target computer

Before we use restricted admin mode against a server or pc we need to enable it on target. To do that we need to add a registry entry.
To do that,

1)    Log in to server or pc as administrator
2)    Start > Run > regedit


3)    Brows to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
4)    Add Registry Key DisableRestrictedAdmin Type: REG_DWORD Value: 0


5)    You do not need Reboot to apply the changes

This also can publish via a group policy setting.


If above is not done, when you connect to the server with Restricted Admin Mode you will get following error


Once changes are made can connect to target with using one of following methods,



In my testing I am using a member server in domain and I am login in with Domain admin account.
Now in the whoami /groups it shows I am a domain admin and enterprise admin.


Now I am trying to connect to another server DCP01 using Server Manager


Then it gives access denied error even I am Domain admin.

So yes with restrict mode you can’t connect to other network resources as its not passing the credentials.
You can enable Restricted Admin Mode for computers using GPO. So when you use RDP client from those PC by default it will use Restricted Admin mode.

To do that in GPO go to Computer Configurations > Policies > Administrative Templates > System > Credential Delegation
Then Set Restrict Delegation of credential to remote servers to enable


Hope this article helps to understand Restricted Admin mode for RDP and way to use it.

If you got any questions feel free to contact me on rebeladm@live.com

Step-by-Step guide to configure MFA (multi-factor authentication) for azure users

MFA, I am sure it’s not a new concept today for IT administrators. Its additional layer of security to confirm the user identity. It can be in form of PIN verify, phone call, smart cards, biometrics etc.

This feature is mainly used in infrastructure when its release, extending its services to “internet face”. There are lot of MFA service providers in market. You can either use it as on-premises service or cloud based service.

When it comes to azure the same security concerns applies. If you integrated it with on-premises active directory security is more concerned as it will extend the security boundaries of the infrastructure.

In this article I will demonstrate how “easily” you can enable multi-factor authentication for azure user.

In my demo I have a windows server 2016 TP4 on-premises AD configured to sync with azure ad. I am going to enable MFA for an azure user account which is sync from on-premises AD.

1)    Log in to your azure portal
2)    Then brows > Active Directory


3)    Load your AD directory and go to users


4)    For my demo I am using user account “user1”, this user account is sync from local active directory
5)    Select the user account and click on “manage multi-factor authentication


6)    Then it will load a new page to manage MFA. As you can see currently for “user1” MFA disabled


7)    To enable, click on tick box next to “user1” and click on option ”enable” in right hand panel


8)    Then it will open a pop up window with help options. Click on “enable multi-factor auth


9)    Now it’s enabled. Let’s try to log in azure portal as the use to see.


10)    Then it saying MFA is enabled and it need to setup. Click on “setup now” to proceed



11)    Then in next page it gives option to select the authentication method.
12)    There is 3 ways to authenticate

Authentication phone – This will send SMS or also can setup to call back to the given number. Please note if you use this option SMS and call charges will be added.

Office Phone – This option is to request contact using office phone specified by admin

Mobile App – With this option you can install mobile application (Azure Authenticator) on your phone and it can set to send notification via app when try to login or to use verification code


13)    Once select the option and its settings, click on setup


14)    In my demo I used mobile app option. Once its completed the setup (you need to follow different options to setup based on your selection) let’s check the login page again


15)     Now it’s asking for the PIN verification before login.

As we can see now MFA is enabled for the selected azure ad user.
In future post I will explain how we can change settings for MFA.

If you have any question feel free to contact me on rebeladm@live.com

Step-by-Step guide to audit active directory changes using “Directory Service Changes” auditing

As Administrator/Engineer it is important to audit the object access on the infrastructure to identify security issues, problems etc. it also helps to troubleshoot this issues.

In windows folder or a file access can audit using audit object access policy. Same way the audit directory service access policy allows to audit access attempts to object in active directory. This is enable by default and configured to audit the “Success Events”. But there are few disadvantages on this.

1)    Difficulties of finding the attribute changes
2)    Impossible to know the old value of an attribute

To overcome this issue windows server 2008 adds an auditing category called “Directory Service Changes”. With this we can simply identify the old and new attributes values.

It is not enabled by default and needs to activate manually.

1)    Log in to the domain controller as Domain admin or Enterprise admin.
2)    Load powershell console with admin rights.
3)    Type auditpol /set /subcategory:"directory service changes" /success:enable and press enter.


4)    In order to test the auditing, I already have usera and userb added to the Domain admins group. I am going to remove usera from the group and check the auditing.
5)    To check the log entries go to Event viewer > Windows Log > Security
6)    As per below we can see the detail description including,

  • What type of change
  • At what type it was triggered
  • Attribute
  • What is the new value
  • Which group it is


As we can see it gives great deal of information which can use in troubleshooting, auditing.

If you have any question about the post feel free to contact me on rebeladm@live.com

Configuring Trusts – Part 1

Trusts, simply we can define as a bond between multiple domains, multiple forests. It controls how or what been allowed between domains and forests.

Let’s assume we have a company called Contoso Inc. and its running with domain contoso.com. Company recently merge with another company called XYZ Inc. and its running with domain xyz.com. Management wants to allow their resources to been used by both company users. For ex- A user in contoso.com will required to access a share in xyz.com file server. Company wants to do it with minimum impact or changes. This is where “trusts” comes in to the picture. Using trusts we can control who will be trusted, how it will be and what sort of access users have on resources.

Before we move in to the configurations it is important to understand the concepts of trusts.

Trusting Domain – This will be the domain contains the resources which will need to allow access. As ex- in my domain contoso.com have a file share called “Sales”. I needs to allow sales users from XYZ.com to access it. In here contoso.com act as trusting domain.

Trusted Domain – This will holds the resources which you wish to grant access. As ex- if we take same above example, XYZ.com domain holds the user accounts which will be allow to access resources on contoso.com. So XYZ.com act as trusted domain.

Transitivity – Trust transitivity allows to extend the trust in to child domain level. For example with trust I may need to allow users in child domains of xyz.com also to have access in to contoso.com domain resources.   I can do it with trust transitivity.

We can categorize trusts based on the direction it’s applying to.

Two-Way Trust – This also known as bidirectional trust. This is the trust mostly been used among organizations. In here both sides on the trust work as trusting and trusted domains.

One-way Incoming Trust – In here trust is created in trusted domain and trusted domain can access resources in trusting domain only.

One-way Outgoing Trust – In here resources in remote, specified domain can authenticated in initiating domain.

if any questions about the post feel free to contact me on rebeladm@live.com

How to configure VPN ? Part 1

This article is part 1 for explaining the setup of the VPN on windows server environment. This demo is done using windows 2008 R2 but the theory will be same for windows 2012.

In this set of article i will be doing the following,

1. configure inbound and outbound VPN connections
2. configure remote access policies to control the access of various groups via RRAS
3. configure a RADIUS server to log all accounting
4. monitor remote access

To do the setup it needs the following,
•    A server with windows 2008 / R2 which is connected to the company domain
•    Two NIC configured for local network access and public access
•    IP address allocation
•    Authentication provider ( Network policy server, RADIUS )
•    DHCP relay agent
•    User account with domain administrator privileges.

In this setup I will be using Network Policy Server as the authentication provider. Before start on setup it’s important to know the use of it. According to Microsoft (http://technet.microsoft.com/en-us/library/cc732912.aspx)
Network Policy Server (NPS) allows you to create and enforce organization-wide network access policies for client health, connection request authentication, and connection request authorization. In addition, you can use NPS as a Remote Authentication Dial-In User Service (RADIUS) proxy to forward connection requests to a server running NPS or other RADIUS servers that you configure in remote RADIUS server groups.

NPS allows you to centrally configure and manage network access authentication, authorization, and client health policies with the following three features:

•    RADIUS server . NPS performs centralized authentication, authorization, and accounting for wireless, authenticating switch, remote access dial-up and virtual private network (VPN) connections. When you use NPS as a RADIUS server, you configure network access servers, such as wireless access points and VPN servers, as RADIUS clients in NPS. You also configure network policies that NPS uses to authorize connection requests, and you can configure RADIUS accounting so that NPS logs accounting information to log files on the local hard disk or in a Microsoft SQL Server database.

•    RADIUS proxy . When use NPS as a RADIUS proxy, can configure connection request policies that tell the NPS server which connection requests to forward to other RADIUS servers and to which RADIUS servers you want to forward connection requests. You can also configure NPS to forward accounting data to be logged by one or more computers in a remote RADIUS server group.

•    Network Access Protection (NAP) policy server . When configure NPS as a NAP policy server, NPS evaluates statements of health (SoH) sent by NAP-capable client computers that want to connect to the network. NPS also acts as a RADIUS server when configured with NAP, performing authentication and authorization for connection requests. You can configure NAP policies and settings in NPS, including system health validators (SHVs), health policy, and remediation server groups that allow client computers to update their configuration to become compliant with your organization's network policy.

We can configure NPS with any combination of the preceding features. For example, you can configure one NPS server to act as a NAP policy server using one or more enforcement methods, while also configuring the same NPS server as a RADIUS server for dial-up connections and as a RADIUS proxy to forward some connection requests to members of a remote RADIUS server group for authentication and authorization in another domain.

Let’s move in to the configuration as next step,
For the setup I log in to a server which is connected to the company network. It is running windows 2008 standard version.
Before we start for a selected server in domain we need to add 2 nic interfaces. One will be to serve for LAN and other NIC will have a public ip address.

For the server I already add 2 nic and configured the ip address as following,
For LAN Interface
Ip address :
Subnet :
Default Gateway : none
DNS servers : none

As we know in a same machine we cannot deal with different default gateways. There for we no need to put gateway here.

For Public Interface
Ip address :
Subnet :
Default Gateway :
DNS servers : ( public dns from ISP )

This used public ip info is just for demo purposes and these are not real public ip from ISP. But in real setup you need to fill that info with the details provided by the ISP.


In the server I have renamed the 2 interfaces according to ip as “private” and “public” for easy identification.


Install Network Policy and Access Service role

1.    To start the server manager Start > administrative tools > Server Manager

2.    In the Server manager windows right click on the “Roles” and click on “Add Roles”


3.    Then add doles wizard will appears. Click next to continue.

4.    On the select server roles page, select “Network policy and access services” and click next.


5.    In “Network policy and access service introduction” page, click Next.

6.    On the select role service page, select the “network policy server” and “routing and remote access services” check boxes and click next.


7.    On the confirmation page click “Next” to continue.


8.    On the installation result page, verify the “installation succeeded” appears in the detail pane then click close to complete.


Configure VPN Server

1.    To start “Routing and Remote Access” mmc, click on start > administrative tools > routing and remote access.


2.    In the mmc, click on the server name, right click on it and from options click on “Configure and enable routing and remote access”


3.    Click next on welcome page to continue. On the configuration page, leave default “Remote access (dial-up or VPN) selected and click Next.


4.    On the remote access page, select the “VPN” check box and click next.


5.    On the VPN connection page, select the “Public” interface and then click next.


6.    On the IP address assignment page, select “From a specified range of addresses” and then click next.


7.    In the address range assignment page, click new and in the “start ip address” box, type the value of in the “number of addresses” box type the value of 75 and click ok, then click next to continue.


8.    On the managing multiple remote access servers page, leave the default selection “No, use routing and remote access to authenticate connection requests” and click next, and then Finish.


9.    In the routing and remote access dialog box, click ok.


10.    In next dialog box about DHCP relay agent click Ok too.