Using JEA as a Non-Administrator

STEP 1: To show JEA in action, you will need to use PowerShell remoting as though you were a non-administrator user. Run the following command in a new PowerShell window:   

 

$NonAdminCred = Get-Credential

Enter the credentials for your non-administrator account when prompted. If you followed the Set Up Users and Groups section, they will be this:

· Username = “OperatorUser”

· Password = “pa$$w0rd”

 

This creates and saves a PSCredential object for an unprivileged user that was created in the prerequisites section. 

 

STEP 2: Run the following command in your PowerShell window:

 

Enter-PSSession -ComputerName. -ConfigurationName JEA_Demo -Credential $NonAdminCred

 

You have now entered an interactive remote PowerShell session against the local machine. By using the “Credential” parameter, you have connected as though you were NonAdminUser. The change in the prompt indicates that you are operating against a remote session. 

STEP 3: Run the following in your remote command prompt:

Get-Command

 

This shows the commands that are available to the operator connecting this JEA endpoint. As you can tell, this is a very limited subset of the command available in a normal PowerShell window (over 1520 commands on my machine). 

STEP 4: Run the following command in the remote session:

Get-UserInfo

 

This custom command shows the “ConnectedUser” as well as the “RunAsUser.” The connected user is the account that connected to the remote session (e.g. your account). The connected user does not need to have administrator privileges. The “Run As” account is the account actually performing the privileged actions. By connecting as one user, and running as a privileged user, we allow non-privileged users to preform specific administrative tasks without giving them administrative rights.

STEP 5: Run the following command in the remote session:

Restart-Service -Name Spooler -Verbose

 

Restart-Service is one of the commands listed in the above configuration. Normally, this command requires administrator privileges to run.

STEP 6: Try to run a PowerShell command that was not listed in STEP 3, such as:

Restart-Computer

 

JEA restricts which commands can be run as a privileged user. The operator is restricted to only those commands listed in STEP 3.

STEP 7: Run the following command in the remote session:

Exit-PSSession

 

This disconnects you from the remote PowerShell session.

Key Concepts

PowerShell Remoting: PowerShell remoting allows you to run PowerShell commands against remote machines. You can operate against one or many computers, and use either temporary or persistent connections. In this demo, you remoted into your local machine with an interactive session. JEA restricts the functionality available through PowerShell remoting. For more information about PowerShell remoting, run the following command:

Get-Help about_Remote

 

“RunAs” User: When using JEA, a non-administrator “runs as” a privileged “Virtual Account.” The Virtual Account only lasts the duration of the remote session. That is to say, it is created when a user connects to the endpoint, and destroyed when the user ends the session. By default, the Virtual Account is a member of the local administrators group. On a domain controller, it is also a member of Domain Administrators.  

“Connected” User: The non-administrator user who runs as the “RunAs” user through PowerShell remoting.

Remake the Demo Endpoint

In this section, you will learn how to generate an exact replica of the demo endpoint you used in the above section. This will introduce core concepts that are necessary to understand JEA, including PowerShell Session Configurations. 

⇐ Предыдущая123456Следующая ⇒

Поделиться: