Forum Discussion

b-rad86's avatar
b-rad86
Copper Contributor
Jun 20, 2024

Powershell JEA - WMI Queries

Hi, 

I'm looking at using PowerShell JEA to run some WMI queries aimed at monitoring servers. Is this possible? An example of the query is below. 

 

The objective is to prevent the service account used by the monitoring application from having local administrator access.

 

SELECT Name,VolumeName,FileSystem from Win32_LogicalDisk
WHERE DriveType='3'
SELECT Name from
Win32_PerfRawData_PerfDisk_LogicalDisk
SELECT Name from
Win32_PerfRawData_PerfDisk_PhysicalDisk
@Windows PowerShell
JEA
  • DTB's avatar
    DTB
    Iron Contributor
    Jun 27, 2024

    Hi b-rad86,

     

    Yes, you can use PowerShell Just Enough Administration (JEA) to run WMI queries for monitoring servers while restricting the service account's privileges. JEA allows you to create a constrained endpoint where specific commands and actions are permitted.

    Here’s a step-by-step guide to set this up:

    Step-by-Step Guide to Use PowerShell JEA for WMI Queries

    1. Create a JEA Role Capability File

    1. Create a Directory for JEA Configuration:

      powershell
      Copy code
      New-Item -Path 'C:\Program Files\WindowsPowerShell\Modules\JEAModule' -ItemType Directory
       

     

     

    New-Item -Path 'C:\Program Files\WindowsPowerShell\Modules\JEAModule' -ItemType Directory
​

     

     

     

    • Create the Role Capability File:

      powershell
      Copy code
      New-Item -Path 'C:\Program Files\WindowsPowerShell\Modules\JEAModule\RoleCapabilities' -ItemType Directory New-PSRoleCapabilityFile -Path 'C:\Program Files\WindowsPowerShell\Modules\JEAModule\RoleCapabilities\MonitorWMI.psrc'
       

     

     

    New-Item -Path 'C:\Program Files\WindowsPowerShell\Modules\JEAModule\RoleCapabilities' -ItemType Directory
New-PSRoleCapabilityFile -Path 'C:\Program Files\WindowsPowerShell\Modules\JEAModule\RoleCapabilities\MonitorWMI.psrc'

     

     

     

    • Edit the Role Capability File to Allow Specific WMI Queries:

      powershell
      Copy code
      Set-Content -Path 'C:\Program Files\WindowsPowerShell\Modules\JEAModule\RoleCapabilities\MonitorWMI.psrc' -Value @" @{ GUID = 'a4a5bce7-8baf-4d6d-b9e0-35f27f9b0d38' Author = 'Your Name' Description = 'Role capability for monitoring WMI queries' VisibleCmdlets = @{ Name = 'Get-WmiObject' Parameters = @{ Name = 'Query' } } FunctionDefinitions = @' function Get-WmiLogicalDisk { Get-WmiObject -Query "SELECT Name,VolumeName,FileSystem from Win32_LogicalDisk WHERE DriveType='3'" } function Get-WmiPerfRawLogicalDisk { Get-WmiObject -Query "SELECT Name from Win32_PerfRawData_PerfDisk_LogicalDisk" } function Get-WmiPerfRawPhysicalDisk { Get-WmiObject -Query "SELECT Name from Win32_PerfRawData_PerfDisk_PhysicalDisk" } '@ VisibleFunctions = 'Get-WmiLogicalDisk', 'Get-WmiPerfRawLogicalDisk', 'Get-WmiPerfRawPhysicalDisk' } "@
       

     

     

    Set-Content -Path 'C:\Program Files\WindowsPowerShell\Modules\JEAModule\RoleCapabilities\MonitorWMI.psrc' -Value @"
@{
    GUID = 'a4a5bce7-8baf-4d6d-b9e0-35f27f9b0d38'
    Author = 'Your Name'
    Description = 'Role capability for monitoring WMI queries'
    VisibleCmdlets = @{
        Name = 'Get-WmiObject'
        Parameters = @{
            Name = 'Query'
        }
    }
    FunctionDefinitions = @'
    function Get-WmiLogicalDisk {
        Get-WmiObject -Query "SELECT Name,VolumeName,FileSystem from Win32_LogicalDisk WHERE DriveType='3'"
    }
    function Get-WmiPerfRawLogicalDisk {
        Get-WmiObject -Query "SELECT Name from Win32_PerfRawData_PerfDisk_LogicalDisk"
    }
    function Get-WmiPerfRawPhysicalDisk {
        Get-WmiObject -Query "SELECT Name from Win32_PerfRawData_PerfDisk_PhysicalDisk"
    }
    '@
    VisibleFunctions = 'Get-WmiLogicalDisk', 'Get-WmiPerfRawLogicalDisk', 'Get-WmiPerfRawPhysicalDisk'
}
"@

     

     

     

    2. Create a JEA Session Configuration File

    1. Create the Session Configuration File:

      powershell
      Copy code
      New-PSSessionConfigurationFile -Path 'C:\Program Files\WindowsPowerShell\Modules\JEAModule\JEAMonitoring.pssc' -SessionType RestrictedRemoteServer
       

     

     

    New-PSSessionConfigurationFile -Path 'C:\Program Files\WindowsPowerShell\Modules\JEAModule\JEAMonitoring.pssc' -SessionType RestrictedRemoteServer

     

     

     

    • Edit the Session Configuration File:

      powershell
      Copy code
      Set-Content -Path 'C:\Program Files\WindowsPowerShell\Modules\JEAModule\JEAMonitoring.pssc' -Value @" @{ SchemaVersion = '2.0.0.0' GUID = 'd5c6a69a-6f78-4d7c-a89f-35e123456789' Author = 'Your Name' SessionType = 'RestrictedRemoteServer' TranscriptDirectory = 'C:\ProgramData\JEAConfiguration\Transcripts' RoleDefinitions = @{ 'CONTOSO\ServiceAccount' = @{ RoleCapabilities = 'MonitorWMI' } } RunAsVirtualAccount = $true } "@
       

     

     

    Set-Content -Path 'C:\Program Files\WindowsPowerShell\Modules\JEAModule\JEAMonitoring.pssc' -Value @"
@{
    SchemaVersion = '2.0.0.0'
    GUID = 'd5c6a69a-6f78-4d7c-a89f-35e123456789'
    Author = 'Your Name'
    SessionType = 'RestrictedRemoteServer'
    TranscriptDirectory = 'C:\ProgramData\JEAConfiguration\Transcripts'
    RoleDefinitions = @{
        'CONTOSO\ServiceAccount' = @{ RoleCapabilities = 'MonitorWMI' }
    }
    RunAsVirtualAccount = $true
}
"@

     

     

     

    3. Register the JEA Endpoint

    1. Register the Configuration:
      powershell
      Copy code
      Register-PSSessionConfiguration -Name JEAMonitoring -Path 'C:\Program Files\WindowsPowerShell\Modules\JEAModule\JEAMonitoring.pssc' -Force
       

     

     

    Register-PSSessionConfiguration -Name JEAMonitoring -Path 'C:\Program Files\WindowsPowerShell\Modules\JEAModule\JEAMonitoring.pssc' -Force

     

     

     

    4. Connecting to the JEA Endpoint

    1. Connect Using the JEA Configuration:
      powershell
      Copy code
      Enter-PSSession -ComputerName <TargetServer> -ConfigurationName JEAMonitoring -Credential <ServiceAccount>
       

     

     

    Enter-PSSession -ComputerName <TargetServer> -ConfigurationName JEAMonitoring -Credential <ServiceAccount>

     

     

     

    5. Run Your WMI Queries

    • Once connected to the JEA session, you can run the functions defined in your role capability file:
      powershell
      Copy code
      Get-WmiLogicalDisk Get-WmiPerfRawLogicalDisk Get-WmiPerfRawPhysicalDisk
       

     

     

    Get-WmiLogicalDisk
Get-WmiPerfRawLogicalDisk
Get-WmiPerfRawPhysicalDisk

     

     

     

    Conclusion

    By setting up a JEA endpoint, you can allow a service account to run specific WMI queries without granting it full administrative access. This approach ensures that you maintain security while providing the necessary functionality for server monitoring.

     

    If you have any further questions or need additional assistance, feel free to ask.

     

    Please click Mark as Best Response & Like if my post helped you to solve your issue.

    This will help others to find the correct solution easily. It also closes the item.

    If the post was useful in other ways, please consider giving it Like.

    • b-rad86's avatar
      b-rad86
      Copper Contributor
      Jul 29, 2024

      Thanks DTB, I was able to execute all the lines of script until the "Register-PSSessionConfiguration" line. I get the following error DTB 

       

       

       

       

      • sdtslmn's avatar
        sdtslmn
        Brass Contributor
        Jul 30, 2024
        The Register-PSSessionConfiguration command requires administrative privileges. Make sure you are running the PowerShell session as an administrator.

Resources