قالب وردپرس درنا توس
Home / Tips and Tricks / Delegating PowerShell Scripts with Just Enough Administration (JEA) – CloudSavvy IT

Delegating PowerShell Scripts with Just Enough Administration (JEA) – CloudSavvy IT



  Powershell Logo

Have you ever wanted to delegate a task, but found that the necessary permissions can be too risky to hand out? Or do you want to lock things like creating groups in AD to enforce group naming conventions?

JEA can help you with that and much more. In this article, we will discuss how to delegate your already created scripts with PowerShell 5.1

.

What is JEA?

JEA is a PowerShell solution from Microsoft that can limit users (and administrators) to only be able to perform specific tasks in a specific PowerShell session, even if they need local administrator on the said resource. Moreover, you can be very specific. Only the commands you specify can be executed, you can only enable specific parameter values ​​and parameter values ​​corresponding to a specific pattern.

For example, you can enable Service Desk to restart only a specific service with Restart Service or only add groups to AD according to a specific naming convention. You can do all this without giving them explicit permission on a server or in AD. It is a tool that can save you a lot of time and protect your environment. Let's start by wrapping our script into a function.

Step 1: Create a function from your script

The first step if you have not already done so is to create a function from your script. This is quite simple, assuming you have already set your parameters . Below I packed my simple script "New-FolderAndShare" into a function:

  Function New-FolderAndShare {
[cmdletbinding()]
param (
# Name of the share
[parameter(Mandatory)]
        [ValidatePattern("^(Project d{5}|Team (Finance|HR|IT|Multi) [a-z ]  +) $ ")]
[string] $ ShareName,

# Directory of the new shared folder locally
[parameter(Mandatory)]
        [ValidatePattern("^(D|E|F):\Shares\$")]
        [string]  $ Path,

# Who has full access
[parameter(Mandatory)]
        [ValidateSet("^CONTOSO\")]
        [string]  $ FullAccess

)

$ FullPath = Join-Path $ Path $ ShareName
New entry -ItemType Directory -Path $ FullPath
New-SmbShare -Path $ FullPath -Name $ ShareName -FullAccess $ FullAccess

} 

You validate the parameters with ValidatePattern in the function, but if this was part of a module, you could do that in the RoleCapabilities file with VisibleFunctions .

Making the script a function gives us more control over what parameters are allowed in JEA and makes it easier to export.

Step 2: Create RoleCapabilities

The RoleCapabilities file decides what a specific role (defined in the next step) is allowed to do. This includes the commands they are allowed to execute, which parameters they can use and which modules to import.

Although RoleCapabilities can be created manually, we recommend that you use the New-PSRoleCapabilityFile command built into PowerShell. 5.1. It is also in this file that you load into the function we created in the previous step.

The following script creates a file named FileShareCreator.psrc and adds the New-FolderAndShare function (to be loaded in the current session):

  # RUN THIS IN THE SERVER WHICH WILL BE THE JEA END POINT

$ RoleCapabilitiesParam = @ {
# Define a function that will be available in the cmdlet
FunctionDefinitions = @ {
Name = & # 39; New-FolderAndShare & # 39;
# Import the code of the function
ScriptBlock = [ScriptBlock] :: Create (
(Get-Command New-FolderAndShare). Definition
)
}

# Modules used in the function must be explicitly imported
ModulesToImport = @ (
"SmbShare",
& # 39; Microsoft.PowerShell.Management & # 39;
)
Path = ".  FileShareCreator.psrc"
}

New-PSRoleCapabilityFile @RoleCapabilitiesParam 

Use Get-Command to get the function in the FunctionDefinitions parameter. You can also add the raw script with parameters.

You also specify how you can use the function in parameter VisibleCmdlet . You do this by specifying the name of the function and its parameters along with a regular expression.

Allows you to have extremely detailed control over what a user can and cannot do. But there is one caveat in doing this work: you need to add the psrc file to a module.

Step 3: Create a module for the RoleCapability file

It's time to create a module where you can use your role capabilities in. JEA finds the RoleCapabilities by the name of the psrc files without their extension, so avoid duplicates if you are going to create more role options later.

The following script is a modified version of what you find in the official JEA documentation. It creates a new module in the module folder, creates the necessary files and folders and copies the psrc file you created in step 2 into it:

  # RUN THIS IN THE SERVER THAT WILL ARE THE JEA END POINT

# Create a folder for the module
$ modulePath = Join-Path $ env: ProgramFiles "WindowsPowerShell  Modules  FileShareJEA"
New entry -ItemType Directory -Path $ modulePath

# Create an empty script module and module manifest.
# At least one file in the module folder must have the same name as the folder itself.
New-Item -ItemType File -Path (Join-Path $ modulePath "FileShareJEA.psm1")
New-ModuleManifest -Path (Join-Path $ modulePath "FileShareJEA.psd1") -RootModule "FileShareJEA.psm1"

# Create the RoleCapabilities folder and copy it to the PSRC file
$ rcFolder = Join-Path $ modulePath "RoleCapabilities"
New Item -ItemType Directory $ rcFolder
Copy-Item -Path.  FileShareCreator.psrc -Destination $ rcFolder 

You have now created a roll function and a function to use in JEA. What we need to do now is create a PowerShell session configuration to map AD groups to the roles you just created.

Step 4: Define Roles

In this step, you will create a PowerShell session configuration file that defines which roles will be assigned which Capacities (from the .. psrc file we created in Step 2 .)

You will also create the AD group and the transcript directory here.

  # Create a folder to store logs
New Item -ItemType Directory -Path & # 39; C:  ProgramData  JEAConfiguration  Transcripts & # 39; -Force

# Create an AD group (you may need to do this on a different server)
New-ADGroup -Path "OU = Groups, DC = contoso, DC = com" -Name & # 39; JEA_FILESHARE_CREATOR & # 39; -GroupScope DomainLocal

# TURN THIS IN THE SERVER WHICH WILL BE THE JEA END

# Define parameters for New-PSSessionConfigurationFile
$ PSSessionConfigurationParams = @ {
# Run as a temporary account
RunAsVirtualAccount = $ True

# That is a local administrator
RunAsVirtualAccountGroups = @ (
"administrators"
)

# Path where to store log files of what connected users are doing
TranscriptDirectory = & # 39; C:  ProgramData  JEAConfiguration  Transcripts & # 39;

# Assign an active directory group to the opportunity we created
RoleDefinitions = @ {
& # 39; CONTOSO  JEA_FILESHARE_CREATOR & # 39; = @ {
RoleCapabilities = & # 39; FileShareCreator & # 39;
}
}

# Path of the PSSC file
Path = ".  SessionConfiguration.pssc"

}
# Create the PSSC file
New-PSSessionConfigurationFile @PSSessionConfigurationParams 

Step 5: Create a PowerShell session

In this step, read the SessionConfiguration.pssc file you created in the previous step. This allows members of JEA_FILESHARE_CREATOR to connect to the server via PowerShell:

  PS51> Register-PSSessionConfiguration -Path.  SessionConfiguration.pssc -Name & # 39; JEAFileShare & # 39; -Force

PSPath: Microsoft.WSMan.Management  WSMan :: localhost  Plugin  JEAFileShare
PSParentPath: Microsoft.WSMan.Management  WSMan :: localhost  Plugin
PSChildName: JEAFileShare
PSDrive: WSMan
PSProvider: Microsoft.WSMan.Management  WSMan
PSIsContainer: true
Keys: {Name = JEAFileShare}
Name: JEAFileShare
TypeNameOfElement: Container
Type: Container 

You are done! Add a user to JEA_FILESHARE_CREATOR that cannot access the server through normal means and try it as that user by typing:

  PS51> Enter-PSSession -ComputerName fs02.contoso.com -ConfigurationName JEAFileShare
PS51> New-FolderAndShare -ShareName "Project 12345" -Path D:  Share  

You can now run the command as a temporary local administrator that is locked and is only enabled to run a few standard commands (visible with Get-Command during a session) and the function New-FolderAndShare added in the Role Capabilities file.

To see the temporarily created account, add VisibleExternalCommands @ (& # 39; c: windows system32 whoami.exe & # 39;) to your RoleCapabilities parameters in step 2 You can run whoami and see the local administrator name:

  PS51> whoami
winrm virtual users  winrm va_1_contoso_joe_helpdesk 

Summary

Using JEA can be a great and easy way to delegate tasks and secure your environment. This includes not only your own scripts, but also built-in modules and installed modules. Even though JEA can be of great added value, be careful! You can be a great risk to your environment if you delegate the wrong commands or provide the wrong parameters to unexpected individuals.

Would you like to know more?


Source link