JEA

Setting up JEA

This link is helpful:

PowerShell: Implementing Just-Enough-Administration (JEA), Step-by-StepSID-500.COM

Create the session configuration file

New-PSSessionConfigurationFile -Path 'C:\Program Files\WindowsPowerShell\spooler_conf.pssc'

Edit the session configuration file

notepad 'C:\Program Files\WindowsPowerShell\spooler_conf.pssc'

It should look something like this

@{

# Version number of the schema used for this document
SchemaVersion = '2.0.0.0'

# ID used to uniquely identify this document
GUID = '8c1e7490-3f03-450e-b97b-c4554e879535'

# Author of this document
Author = 'fcastle'

# Description of the functionality provided by these settings
# Description = ''

# Session type defaults to apply for this session configuration. Can be 'RestrictedRemoteServer' (recommended), 'Empty', or 'Default'
SessionType = 'RestrictedRemoteServer'

# Directory to place session transcripts for this session configuration
TranscriptDirectory = 'C:\Transcripts\'

# Whether to run this session configuration as the machine's (virtual) administrator account
# RunAsVirtualAccount = $true

# Scripts to run when applied to a session
# ScriptsToProcess = 'C:\ConfigData\InitScript1.ps1', 'C:\ConfigData\InitScript2.ps1'

# User roles (security groups), and the role capabilities that should be applied to them when applied to a session
RoleDefinitions = @{ 'horus-dc\fcastle' = @{ VisibleCmdlets = 'Get-Process' } } 

}

Note that the sessiontype was altered to restricted and that the role definition includes the user and the visible cmdlet. I dont know if thats needed but it was in the example document generated.

Create the directory

New-Item -Path 'C:\Program Files\WindowsPowerShell\Modules\JEA\RoleCapabilities' -ItemType Directory

Create the capability file

New-PSRoleCapabilityFile -Path 'C:\Program Files\WindowsPowerShell\Modules\JEA\RoleCapabilities\spooler_admins.psrc'

Edit the capability file

notepad 'C:\Program Files\WindowsPowerShell\Modules\JEA\RoleCapabilities\spooler_admins.psrc'

Should look something like below

@{

# ID used to uniquely identify this document
GUID = 'a6e0b3a5-4106-4cf2-a951-a8337fcd4a92'

# Author of this document
Author = 'fcastle'

# Description of the functionality provided by these settings
# Description = ''

# Company associated with this document
CompanyName = 'Unknown'

# Copyright statement for this document
Copyright = '(c) 2020 fcastle. All rights reserved.'

# Modules to import when applied to a session
# ModulesToImport = 'MyCustomModule', @{ ModuleName = 'MyCustomModule'; ModuleVersion = '1.0.0.0'; GUID = '4d30d5f0-cb16-4898-812d-f20a6c596bdf' }

# Aliases to make visible when applied to a session
# VisibleAliases = 'Item1', 'Item2'

# Cmdlets to make visible when applied to a session
VisibleCmdlets = 'Get-Process'

}

Note that the visible cmdlets has been uncommented and we can put the cmds in there. If we want something like whoami or net, we will need to add it as an external command since its not a cmdlet.

Start winrm on the box if not done already

winrm quickconfig

 Register-PSSessionConfiguration -Name Spooler_Admins -Path 'C:\Program Files\WindowsPowerShell\spooler_conf.pssc'

Restart service

Restart-Service WinRM

Test

Enter-PSSession -ComputerName COMP1 -ConfigurationName Spooler_Admins

With the above, when you type command the only cmdlet you should see is get-process. The others are functions.

Breaking Out of JEA

As the JEA session runs with higher privs, if a breakout happens then you can perform fun actions.

Breakouts will depend on the cmdlets available and as there are a huge amount it wont all be covered anywhere.

When enter the JEA session you can enum whats available with the command cmdlet:

command

Some cmdlets to look out for

Set-PSSessionConfiguration
Start-Process
New-Service
Add-Computer

PreviousUn-Constrained Delegation NextPersistance

Last updated 5 years ago

Was this helpful?