Forum Discussion
A simple example of Windows PowerShell Just Enough Administration (JEA)!
Dear Microsoft and PowerShell Friends,
Using PowerShell to establish a remote connection and then manage, for example, a domain controller or any other server that is a member of the domain, is really fun. But what about security? When I as a domain administrator establish a remote connection, I have a huge number of cmdlets at my disposal.
#We start a "normal" remote connection and check how many cmdlets are available
Enter-PSSession -ComputerName dc01
(Get-Command).count
Maybe you (the administrator) do not always want to establish the remote connection to a specific server to process an existing task, but you would like to delegate this step to another person. But only in a way that this person cannot work with too many cmdlets. That's where PowerShell Just Enough Administration (JEA) comes in. With this technique you can, for example, provide a specific Active Directory group with exactly the number of cmdlets to perform the necessary work on the desired server. JEA is best suited for tasks that are clearly defined. JEA is not suitable for troubleshooting or research. The best place to start is in Active Directory:
1. Create a security group with the name Helpdesk in AD.
2. Add a user (or users) to the group
After that we switch to the PowerShell ISE (on the server where you want to make the cmdlets available) or the one you trust (maybe VSCode ;-). #Are comments!
#We navigate in to the following path
Set-Location 'C:\Program Files\WindowsPowerShell\Modules'
#Create a new directory
New-Item -ItemType Directory Helpdesk
#Navigate to the directory
Set-Location Helpdesk
#Create a new directory
New-Item -ItemType Directory RoleCapabilities
#Navigate to the directory
Set-Location RoleCapabilities
#Creates a file that defines a set of capabilities to be exposed through a session configuration
New-PSRoleCapabilityFile -Path .\Helpdesk.psrc
#Now we edit this file
ISE .\Helpdesk.psrc
In this file you can specify among others cmdlets, functions and also commands that can be used. In this example I provide "Get-Service" and "whoami". In a practical example, you would provide all the necessary commands/cmdlets needed for the specific task (just as the case may be).
#Creates a file that defines a session configuration
New-PSSessionConfigurationFile .\Helpdesk.pssc
#Now we edit this file
ISE .\Helpdesk.pssc
In this file, you can specify the session configuration, a virtual administrator account, and user roles, among other things.
#Let us check the settings
Test-PSSessionConfigurationFile .\Helpdesk.pssc
#Creates and registers a new session configuration
Register-PSSessionConfiguration -Name Helpdesk -Path .\Helpdesk.pssc
#We need to restart the WinRM Service
Restart-Service WinRM
#Gets the registered session configurations on the computer
Get-PSSessionConfiguration
Now switch to the system from which you want to establish a remote session.
#We establish a connection
Enter-PSSession -ComputerName dc01 -ConfigurationName Helpdesk -Credential grid\james.west
#And check the number of cmdlets and the account created for the connection
Get-Command
We now have exactly the cmdlet and the command we specified. We also see that the session was established with a virtual account. This means that these credentials are not saved after the session ends.
#Close the Session
Exit-PSSession
Back to the server.
#(Optional) Deletes registered session configurations from the computer
Unregister-PSSessionConfiguration -Name Helpdesk
Clearly, that was not super spectacular or fancy. But I still wanted to share my experience with you. Thank you for taking the time to read this article.
Kind regards, Tom Wechsler
P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechsler
