JEA

Setting up JEA

This link is helpful:
PowerShell: Implementing Just-Enough-Administration (JEA), Step-by-Step
SID-500.COM
Create the session configuration file
1
New-PSSessionConfigurationFile -Path 'C:\Program Files\WindowsPowerShell\spooler_conf.pssc'
Copied!
Edit the session configuration file
1
notepad 'C:\Program Files\WindowsPowerShell\spooler_conf.pssc'
Copied!
It should look something like this
1
@{
2
​
3
# Version number of the schema used for this document
4
SchemaVersion = '2.0.0.0'
5
​
6
# ID used to uniquely identify this document
7
GUID = '8c1e7490-3f03-450e-b97b-c4554e879535'
8
​
9
# Author of this document
10
Author = 'fcastle'
11
​
12
# Description of the functionality provided by these settings
13
# Description = ''
14
​
15
# Session type defaults to apply for this session configuration. Can be 'RestrictedRemoteServer' (recommended), 'Empty', or 'Default'
16
SessionType = 'RestrictedRemoteServer'
17
​
18
# Directory to place session transcripts for this session configuration
19
TranscriptDirectory = 'C:\Transcripts\'
20
​
21
# Whether to run this session configuration as the machine's (virtual) administrator account
22
# RunAsVirtualAccount = $true
23
​
24
# Scripts to run when applied to a session
25
# ScriptsToProcess = 'C:\ConfigData\InitScript1.ps1', 'C:\ConfigData\InitScript2.ps1'
26
​
27
# User roles (security groups), and the role capabilities that should be applied to them when applied to a session
28
RoleDefinitions = @{ 'horus-dc\fcastle' = @{ VisibleCmdlets = 'Get-Process' } }
29
​
30
}
Copied!
Note that the sessiontype was altered to restricted and that the role definition includes the user and the visible cmdlet. I dont know if thats needed but it was in the example document generated.
Create the directory
1
New-Item -Path 'C:\Program Files\WindowsPowerShell\Modules\JEA\RoleCapabilities' -ItemType Directory
Copied!
Create the capability file
1
New-PSRoleCapabilityFile -Path 'C:\Program Files\WindowsPowerShell\Modules\JEA\RoleCapabilities\spooler_admins.psrc'
Copied!
Edit the capability file
1
notepad 'C:\Program Files\WindowsPowerShell\Modules\JEA\RoleCapabilities\spooler_admins.psrc'
Copied!
Should look something like below
1
@{
2
​
3
# ID used to uniquely identify this document
4
GUID = 'a6e0b3a5-4106-4cf2-a951-a8337fcd4a92'
5
​
6
# Author of this document
7
Author = 'fcastle'
8
​
9
# Description of the functionality provided by these settings
10
# Description = ''
11
​
12
# Company associated with this document
13
CompanyName = 'Unknown'
14
​
15
# Copyright statement for this document
16
Copyright = '(c) 2020 fcastle. All rights reserved.'
17
​
18
# Modules to import when applied to a session
19
# ModulesToImport = 'MyCustomModule', @{ ModuleName = 'MyCustomModule'; ModuleVersion = '1.0.0.0'; GUID = '4d30d5f0-cb16-4898-812d-f20a6c596bdf' }
20
​
21
# Aliases to make visible when applied to a session
22
# VisibleAliases = 'Item1', 'Item2'
23
​
24
# Cmdlets to make visible when applied to a session
25
VisibleCmdlets = 'Get-Process'
26
​
27
}
Copied!
Note that the visible cmdlets has been uncommented and we can put the cmds in there. If we want something like whoami or net, we will need to add it as an external command since its not a cmdlet.
Start winrm on the box if not done already
1
winrm quickconfig
Copied!
Register the JEA
1
Register-PSSessionConfiguration -Name Spooler_Admins -Path 'C:\Program Files\WindowsPowerShell\spooler_conf.pssc'
Copied!
Restart service
1
Restart-Service WinRM
Copied!
Test
1
Enter-PSSession -ComputerName COMP1 -ConfigurationName Spooler_Admins
Copied!
With the above, when you type command the only cmdlet you should see is get-process. The others are functions.

Breaking Out of JEA

As the JEA session runs with higher privs, if a breakout happens then you can perform fun actions.
Breakouts will depend on the cmdlets available and as there are a huge amount it wont all be covered anywhere.
When enter the JEA session you can enum whats available with the command cmdlet:
1
command
Copied!
Some cmdlets to look out for
1
Set-PSSessionConfiguration
2
Start-Process
3
New-Service
4
Add-Computer
Copied!
​