Powershell JEA - WMI Queries

Copper Contributor

Hi, 

I'm looking at using PowerShell JEA to run some WMI queries aimed at monitoring servers. Is this possible? An example of the query is below. 

 

The objective is to prevent the service account used by the monitoring application from having local administrator access.

 

SELECT Name,VolumeName,FileSystem from Win32_LogicalDisk
WHERE DriveType='3'
SELECT Name from
Win32_PerfRawData_PerfDisk_LogicalDisk
SELECT Name from
Win32_PerfRawData_PerfDisk_PhysicalDisk
1 Reply

Hi @b-rad86,

 

Yes, you can use PowerShell Just Enough Administration (JEA) to run WMI queries for monitoring servers while restricting the service account's privileges. JEA allows you to create a constrained endpoint where specific commands and actions are permitted.

Here’s a step-by-step guide to set this up:

Step-by-Step Guide to Use PowerShell JEA for WMI Queries

1. Create a JEA Role Capability File

  1. Create a Directory for JEA Configuration:

    powershell
    Copy code
    New-Item -Path 'C:\Program Files\WindowsPowerShell\Modules\JEAModule' -ItemType Directory
     

 

 

New-Item -Path 'C:\Program Files\WindowsPowerShell\Modules\JEAModule' -ItemType Directory
​

 

 

 
  • Create the Role Capability File:

    powershell
    Copy code
    New-Item -Path 'C:\Program Files\WindowsPowerShell\Modules\JEAModule\RoleCapabilities' -ItemType Directory New-PSRoleCapabilityFile -Path 'C:\Program Files\WindowsPowerShell\Modules\JEAModule\RoleCapabilities\MonitorWMI.psrc'
     

 

 

New-Item -Path 'C:\Program Files\WindowsPowerShell\Modules\JEAModule\RoleCapabilities' -ItemType Directory
New-PSRoleCapabilityFile -Path 'C:\Program Files\WindowsPowerShell\Modules\JEAModule\RoleCapabilities\MonitorWMI.psrc'

 

 

 
  • Edit the Role Capability File to Allow Specific WMI Queries:

    powershell
    Copy code
    Set-Content -Path 'C:\Program Files\WindowsPowerShell\Modules\JEAModule\RoleCapabilities\MonitorWMI.psrc' -Value @" @{ GUID = 'a4a5bce7-8baf-4d6d-b9e0-35f27f9b0d38' Author = 'Your Name' Description = 'Role capability for monitoring WMI queries' VisibleCmdlets = @{ Name = 'Get-WmiObject' Parameters = @{ Name = 'Query' } } FunctionDefinitions = @' function Get-WmiLogicalDisk { Get-WmiObject -Query "SELECT Name,VolumeName,FileSystem from Win32_LogicalDisk WHERE DriveType='3'" } function Get-WmiPerfRawLogicalDisk { Get-WmiObject -Query "SELECT Name from Win32_PerfRawData_PerfDisk_LogicalDisk" } function Get-WmiPerfRawPhysicalDisk { Get-WmiObject -Query "SELECT Name from Win32_PerfRawData_PerfDisk_PhysicalDisk" } '@ VisibleFunctions = 'Get-WmiLogicalDisk', 'Get-WmiPerfRawLogicalDisk', 'Get-WmiPerfRawPhysicalDisk' } "@
     

 

 

Set-Content -Path 'C:\Program Files\WindowsPowerShell\Modules\JEAModule\RoleCapabilities\MonitorWMI.psrc' -Value @"
@{
    GUID = 'a4a5bce7-8baf-4d6d-b9e0-35f27f9b0d38'
    Author = 'Your Name'
    Description = 'Role capability for monitoring WMI queries'
    VisibleCmdlets = @{
        Name = 'Get-WmiObject'
        Parameters = @{
            Name = 'Query'
        }
    }
    FunctionDefinitions = @'
    function Get-WmiLogicalDisk {
        Get-WmiObject -Query "SELECT Name,VolumeName,FileSystem from Win32_LogicalDisk WHERE DriveType='3'"
    }
    function Get-WmiPerfRawLogicalDisk {
        Get-WmiObject -Query "SELECT Name from Win32_PerfRawData_PerfDisk_LogicalDisk"
    }
    function Get-WmiPerfRawPhysicalDisk {
        Get-WmiObject -Query "SELECT Name from Win32_PerfRawData_PerfDisk_PhysicalDisk"
    }
    '@
    VisibleFunctions = 'Get-WmiLogicalDisk', 'Get-WmiPerfRawLogicalDisk', 'Get-WmiPerfRawPhysicalDisk'
}
"@

 

 

 

2. Create a JEA Session Configuration File

  1. Create the Session Configuration File:

    powershell
    Copy code
    New-PSSessionConfigurationFile -Path 'C:\Program Files\WindowsPowerShell\Modules\JEAModule\JEAMonitoring.pssc' -SessionType RestrictedRemoteServer
     

 

 

New-PSSessionConfigurationFile -Path 'C:\Program Files\WindowsPowerShell\Modules\JEAModule\JEAMonitoring.pssc' -SessionType RestrictedRemoteServer

 

 

 
  • Edit the Session Configuration File:

    powershell
    Copy code
    Set-Content -Path 'C:\Program Files\WindowsPowerShell\Modules\JEAModule\JEAMonitoring.pssc' -Value @" @{ SchemaVersion = '2.0.0.0' GUID = 'd5c6a69a-6f78-4d7c-a89f-35e123456789' Author = 'Your Name' SessionType = 'RestrictedRemoteServer' TranscriptDirectory = 'C:\ProgramData\JEAConfiguration\Transcripts' RoleDefinitions = @{ 'CONTOSO\ServiceAccount' = @{ RoleCapabilities = 'MonitorWMI' } } RunAsVirtualAccount = $true } "@
     

 

 

Set-Content -Path 'C:\Program Files\WindowsPowerShell\Modules\JEAModule\JEAMonitoring.pssc' -Value @"
@{
    SchemaVersion = '2.0.0.0'
    GUID = 'd5c6a69a-6f78-4d7c-a89f-35e123456789'
    Author = 'Your Name'
    SessionType = 'RestrictedRemoteServer'
    TranscriptDirectory = 'C:\ProgramData\JEAConfiguration\Transcripts'
    RoleDefinitions = @{
        'CONTOSO\ServiceAccount' = @{ RoleCapabilities = 'MonitorWMI' }
    }
    RunAsVirtualAccount = $true
}
"@

 

 

 

3. Register the JEA Endpoint

  1. Register the Configuration:
    powershell
    Copy code
    Register-PSSessionConfiguration -Name JEAMonitoring -Path 'C:\Program Files\WindowsPowerShell\Modules\JEAModule\JEAMonitoring.pssc' -Force
     

 

 

Register-PSSessionConfiguration -Name JEAMonitoring -Path 'C:\Program Files\WindowsPowerShell\Modules\JEAModule\JEAMonitoring.pssc' -Force

 

 

 

4. Connecting to the JEA Endpoint

  1. Connect Using the JEA Configuration:
    powershell
    Copy code
    Enter-PSSession -ComputerName <TargetServer> -ConfigurationName JEAMonitoring -Credential <ServiceAccount>
     

 

 

Enter-PSSession -ComputerName <TargetServer> -ConfigurationName JEAMonitoring -Credential <ServiceAccount>

 

 

 

5. Run Your WMI Queries

  • Once connected to the JEA session, you can run the functions defined in your role capability file:
    powershell
    Copy code
    Get-WmiLogicalDisk Get-WmiPerfRawLogicalDisk Get-WmiPerfRawPhysicalDisk
     

 

 

Get-WmiLogicalDisk
Get-WmiPerfRawLogicalDisk
Get-WmiPerfRawPhysicalDisk

 

 

 

Conclusion

By setting up a JEA endpoint, you can allow a service account to run specific WMI queries without granting it full administrative access. This approach ensures that you maintain security while providing the necessary functionality for server monitoring.

 

If you have any further questions or need additional assistance, feel free to ask.

 

Please click Mark as Best Response & Like if my post helped you to solve your issue.

This will help others to find the correct solution easily. It also closes the item.

If the post was useful in other ways, please consider giving it Like.