Apply the PowerShell Session Configuration

To create a Session Configuration from a Session Configuration file, you need to register the file. This requires a few pieces of information:

1. The path to the Session Configuration File.

2. The name of your registered Session Configuration. This is the argument users provide to the “ConfigurationName” parameter when they connect to your endpoint.

3. [Optional] A custom SDDL that defines access conditions for this Session Configuration. This is only required for scenarios like two factor authentication. Otherwise, PowerShell uses the “RoleDefinitions” field to determine access. See this section in the appendix for more information.

To register the Session Configuration on your local machine, run the following command:

Register-PSSessionConfiguration -Name JEADemo2 -Path " $env: ProgramData\JEAConfiguration\JEADemo2.pssc"

 

Congratulations! You have set up your first JEA endpoint.

Test Out Your Endpoint

Re-run the steps listed in the “Using JEA” section against your endpoint to confirm that your endpoint is operating as intended.

To ensure you are operating against your new endpoint, run the following command instead of STEP 2:

Enter-PSSession -ComputerName. -ConfigurationName JEADemo2 -Credential $NonAdminCred

Key Concepts

PowerShell Session Configuration: Sometimes referred to as PowerShell Endpoint, the figurative “place” where users connect and get access to PowerShell functionality. You can list the registered Session Configurations on your system by running Get-PSSessionConfiguration. When configured in a specific way, a PowerShell Session Configuration can be called a JEA Endpoint.

 

PowerShell Session Configuration File (.pssc): A file that, when registered, defines settings for a PowerShell Session Configuration. It contains specifications for user roles that can connect to the endpoint, the “run as” Virtual Account, and more.   

Role Definitions: The field in a Session Configuration File that defines the Role Capabilities granted to connecting users. It defines who can do what as a privileged account. This is the core of JEA’s RBAC capabilities.

SessionType: A field in a Session Configuration File that represents default settings for a Session Configuration. For JEA Endpoints, this must be set to RestrictedRemoteServer.

Security Descriptor Definition Language (SDDL): The SDDL defines who has access to an Endpoint, and is set when an Endpoint is registered. By default, access to an endpoint is limited to the groups listed in Role Definitions.

PowerShell Transcript: A file containing an “over-the-shoulder” view of a PowerShell session. You can set PowerShell to generate transcripts for JEA sessions using the TranscriptDirectory field. For more information on transcripting, check out this blog post.

Role Capabilities

Overview

In the above section, you learned that the RoleDefinitions field defined which groups had access to which Role Capabilities. You may have wondered, “What are Role Capabilities? ” This section will answer that question. 

Introducing PowerShell Role Capabilities

PowerShell Role Capabilities define “ what ” a user can do at a JEA endpoint. They detail a whitelist of things like visible commands, visible applications, and more. Role Capabilities are defined by files with a “. psrc” extension. 

Role Capability Contents

We will start by examining and modifying the demo Role Capability file you used before. Imagine you have deployed your Session Configuration across your environment, but you have gotten feedback that you need to change the capabilities exposed to users. Operators need the ability to restart machines, and they also want to be able to get information about network settings. In addition, the security team has told you that allowing users to run “Restart-Service” without any restrictions is not acceptable. You need to restrict the services that operators can restart.

STEP 1: Using PowerShell ISE running as an Administrator, open the following file:

“C: \Program Files\WindowsPowerShell\Modules\Demo_Module\RoleCapabilities\Maintenance.psrc”

STEP 2: You need to set the certain fields implement the changes you want to make:

Line #	Old Value	New Value
25	VisibleCmdlets = 'Restart-Service'	VisibleCmdlets = 'Restart-Computer’,     @{ Name = ‘Restart-Service'; Parameters = @{ Name = 'Name'; ValidateSet = 'Spooler’ }},               ‘NetTCPIP\Get-*'
32	# VisibleExternalCommands = 'Item1', 'Item2'	VisibleExternalCommands = ‘C: \Windows\system32\ipconfig.exe’

 

This contains a few interesting examples:

1.  You have restricted Restart-Service. Operators will only be able to use Restart-Service with the -Name parameter, and they will only be allowed to provide “Spooler” as an argument to that parameter. If you wanted to, you could also restrict the arguments using a regular expression using a “ValidatePattern”.

2. You have exposed all commands with the “Get” verb from the NetTCPIP module. Because “Get” commands typically don’t change system state, this is a relatively safe action. That being said, we strongly encourage examining every command you expose through JEA.

3. You have expose an executable (ipconfig) using VisibleExternalCommands. You can also expose scripts with this field.

STEP 3: Save the file.

STEP 4: Re-run the steps listed in the “Using JEA” section against your endpoint to confirm that your endpoint is operating as intended.

Because you only modified the Role Capability file, you do not need to re-register the Session Configuration. This is an important point to make; PowerShell will find your updated Role Capability when a user connects.

To ensure you are operating against your new endpoint, run the following command instead of STEP 2:

Enter-PSSession -ComputerName. -ConfigurationName JEADemo2 -Credential $NonAdminCred

STEP 5: Confirm that you can restart the computer by running Restart-Computer with the -WhatIf parameter (unless you actually want to restart the computer).

Restart-Computer -WhatIf

 

STEP 6: Confirm that you can run “ipconfig” 

ipconfig

 

STEP 7: Confirm that Restart-Service only works for the Spooler service.

Restart-Service Spooler #this should work

Restart-Service WSearch #this should fail

 

STEP 8: Exit the session as before.

 

Exit-PSSession

 

Role Capability Creation

In the next session, you will create a Session Configuration for AD Help Desk users. To prepare, we will create a blank Role Capability file to fill in for that section. In order to make this work, you will create a new module that will contain the role capability. In order for PowerShell to detect Role Capabilities automatically, you must put them in a “RoleCapabilities” folder in this module.

PowerShell Modules are essentially packages of PowerShell functionality. They can contain PowerShell functions, cmdlets, DSC Resources, Role Capabilities, and more. 

STEP 1: Create a “Contoso_AD_Module” folder the modules directory. 

New-Item -Path “C: \Program Files\WindowsPowerShell\Modules\Contoso_AD_Module” -ItemType Directory

 

STEP 2: Create a blank module manifest. This module manifest will contain metadata about the module you are creating.

New-ModuleManifest -Path ‘C: \Program Files\WindowsPowerShell\Modules\Contoso_AD_Module\Contoso_AD_Module.psd1’ -RootModule Contoso_AD_Module.psm1

 

STEP 3: Create a blank script module. You’ll use this file for custom functions in the next section.

New-Item -Path “C: \Program Files\WindowsPowerShell\Modules\Contoso_AD_Module\Contoso_AD_Module.psm1” -ItemType File

 

STEP 4: Create a RoleCapabilities folder in the AD_Module folder. PowerShell can only automatically discover Role Capabilities that are located in a “RoleCapabilities” folder within a module.

New-Item -Path “C: \Program Files\WindowsPowerShell\Modules\Contoso_AD_Module\RoleCapabilities” -ItemType Directory

 

STEP 5: Create a blank Role Capability in your RoleCapabilities folder. Running this command without any additional parameters just creates a blank template.

New-PSRoleCapabilityFile -Path ‘C: \Program Files\WindowsPowerShell\Modules\Contoso_AD_Module\RoleCapabilities\ADHelpDesk.psrc’

 

 

Congratulations, you have created a blank Role Capability File. It will be used in the next section.

Key Concepts

Role Capability (.psrc): A file that define “ what ” a user can do at a JEA endpoint. It details a whitelist of things like visible commands, visible applications, and more. In order for PowerShell to detect Role Capabilities automatically, you must put them in a “RoleCapabilities” folder in a valid PowerShell module.

PowerShell Module: A package of PowerShell functionality. It can contain PowerShell functions, cmdlets, DSC Resources, Role Capabilities, and more. In order to be automatically loaded, PowerShell Modules must be located on $env: PSModulePath.

⇐ Предыдущая123456Следующая ⇒

Поделиться: