JEA
Last updated
Was this helpful?
Last updated
Was this helpful?
This link is helpful:
Create the session configuration file
New-PSSessionConfigurationFile -Path 'C:\Program Files\WindowsPowerShell\spooler_conf.pssc'
Edit the session configuration file
notepad 'C:\Program Files\WindowsPowerShell\spooler_conf.pssc'
It should look something like this
@{
# Version number of the schema used for this document
SchemaVersion = '2.0.0.0'
# ID used to uniquely identify this document
GUID = '8c1e7490-3f03-450e-b97b-c4554e879535'
# Author of this document
Author = 'fcastle'
# Description of the functionality provided by these settings
# Description = ''
# Session type defaults to apply for this session configuration. Can be 'RestrictedRemoteServer' (recommended), 'Empty', or 'Default'
SessionType = 'RestrictedRemoteServer'
# Directory to place session transcripts for this session configuration
TranscriptDirectory = 'C:\Transcripts\'
# Whether to run this session configuration as the machine's (virtual) administrator account
# RunAsVirtualAccount = $true
# Scripts to run when applied to a session
# ScriptsToProcess = 'C:\ConfigData\InitScript1.ps1', 'C:\ConfigData\InitScript2.ps1'
# User roles (security groups), and the role capabilities that should be applied to them when applied to a session
RoleDefinitions = @{ 'horus-dc\fcastle' = @{ VisibleCmdlets = 'Get-Process' } }
}
Note that the sessiontype was altered to restricted and that the role definition includes the user and the visible cmdlet. I dont know if thats needed but it was in the example document generated.
Create the directory
New-Item -Path 'C:\Program Files\WindowsPowerShell\Modules\JEA\RoleCapabilities' -ItemType Directory
Create the capability file
New-PSRoleCapabilityFile -Path 'C:\Program Files\WindowsPowerShell\Modules\JEA\RoleCapabilities\spooler_admins.psrc'
Edit the capability file
notepad 'C:\Program Files\WindowsPowerShell\Modules\JEA\RoleCapabilities\spooler_admins.psrc'
Should look something like below
@{
# ID used to uniquely identify this document
GUID = 'a6e0b3a5-4106-4cf2-a951-a8337fcd4a92'
# Author of this document
Author = 'fcastle'
# Description of the functionality provided by these settings
# Description = ''
# Company associated with this document
CompanyName = 'Unknown'
# Copyright statement for this document
Copyright = '(c) 2020 fcastle. All rights reserved.'
# Modules to import when applied to a session
# ModulesToImport = 'MyCustomModule', @{ ModuleName = 'MyCustomModule'; ModuleVersion = '1.0.0.0'; GUID = '4d30d5f0-cb16-4898-812d-f20a6c596bdf' }
# Aliases to make visible when applied to a session
# VisibleAliases = 'Item1', 'Item2'
# Cmdlets to make visible when applied to a session
VisibleCmdlets = 'Get-Process'
}
Note that the visible cmdlets has been uncommented and we can put the cmds in there. If we want something like whoami or net, we will need to add it as an external command since its not a cmdlet.
Start winrm on the box if not done already
winrm quickconfig
Register the JEA
Register-PSSessionConfiguration -Name Spooler_Admins -Path 'C:\Program Files\WindowsPowerShell\spooler_conf.pssc'
Restart service
Restart-Service WinRM
Test
Enter-PSSession -ComputerName COMP1 -ConfigurationName Spooler_Admins
With the above, when you type command the only cmdlet you should see is get-process. The others are functions.
As the JEA session runs with higher privs, if a breakout happens then you can perform fun actions.
Breakouts will depend on the cmdlets available and as there are a huge amount it wont all be covered anywhere.
When enter the JEA session you can enum whats available with the command cmdlet:
command
Some cmdlets to look out for
Set-PSSessionConfiguration
Start-Process
New-Service
Add-Computer