[EDIT 05/26/14]: Here is the best landing page by Jeffrey Snover concerning Just Enough Admin. Definitely take a look, as a whitepaper and Channel 9 Teched 2014 video about it are both posted there!
PowerShell Summit 2014 NA wrapped up last week, and it was awesome. MVP’s, PowerShell Team Members, PowerShell book authors, and Jeffrey Snover were among that lineup of speakers. This is going to be the first post collecting the speaker names, and the resources I am able to find in relation to them. I originally attempted to record the sessions, but due to technical difficulties, were only partially recorded with low quality. I wanted to create learning resources by editing my notes for public consumption, for those at the Summit who missed the sessions I attended, or for the community in general. Further resources will be posted on PowerShell.Org in the near future.
JEA (Just Enough Admin) is a PowerShell toolkit that can be setup and deployed by DSC in order to create manageable, constrained endpoints. Administrators are needed, but they are always part of your attack surface, are sometimes bad actors, and can make mistakes. JEA is meant to be a great way to address these issues.
So, wouldn’t it be great if:
- People didn’t have to have admin privileges to do their job?
- If a machine got cracked, it wouldn’t leak high value credentials?
- People could only do what they needed to do?
- All administrator actions were logged?
JEA helps incrementally reduce the exposure of Administrator privileges by:
- Reducing the number of people with administrator privileges
- Reducing the scope of administrator privileges
- Reduce what can be done when using those administrative privileges
JEA is based on the PowerShell security features currently used by online services, such as the remote administration of Exchange Online. The toolkit breaks down into three simple concepts:
- JeaToolkit: Well defined set of commands to support a set of activities (like Restart-Service)
- JeaEndPoint: Management connection point where authorized users are provided JeaToolkits, which run as a JeaEndPointAccount
- JeaEndPointAccount: Managed local account with administrative privileges
Using a JeaEndPointAccount completely lessens the scope of an account breach due to it being a managed local account instead of domain or Group Managed Service Account (GMSA). As Snover put it, restricting a potential breach to only the local server “puts the server in a blast container.”
An example of a JeaToolkit that may be provided by DSC for restricted SQL server maintenance:
As you can see, CommandSpecs is actually being defined by an inline CSV. You can instead use Get-Content SQLToolkit.csv as the definition, and manage the CSV in something like Excel:
A breakdown explanation of what this is providing, line by line:
- Allow any Get cmdlet within the SQL module to run
- Allow Get-Process and Get-Service to be run with any parameters
- Allow Stop-Process to be able to run with only the Name parameter having a value of either calc or notepad
- Allow Restart-Service to be able to run with only the Name parameter against a service starting with SQL
There are also ways to use startup scripts to bring further customization/restrictions, like setup logging, create custom error messages to send to the user, and completely hide dangerous commands such as Invoke-Expression. Snover made sure to say that allowing users to run that command, with malicious intent or little understanding of it’s capabilities, is “the path to hell.” Take a look at the constrained endpoint link at the bottom of this post for more information about startup scripts.
It was an excellent presentation overall, and I am really looking forward to seeing how that module works in practice! At the end of his presentation, Snover touched on some other cool things like configuring the MOTD (Message of The Day) for these constrained terminal sessions with DSC.
- Article Referrenced during Snover’s Presentation when quoting, “Who better to target than the person that already has the ‘keys to the kingdom’?”
- Great Scripting Guy Blog Article on Constrained Endpoints
- Introducing PowerShell Desired State Configuration (DSC)
- PowerShell v4 and Other Cheat Sheets