End to End: Active Directory

Imagine the scope of your program has increased. You are now responsible for adding JEA to Domain Controllers to perform Active Directory actions. The help desk people are going to use JEA to unlock accounts, reset passwords, and do other similar actions.

You need to expose a completely new set of commands to a different group of people. On top of that, you have a bunch of existing active directory scripts you need to expose. This section will walk through how to author a Session Configuration and Role Capability for this task. 

Prerequisites

To follow this section step-by-step, you’ll need to be operating on a domain controller. If you don’t have access to your domain controller, don’t worry. Try to follow along with by working against some other scenario or role with which you are familiar. 

Steps to Making a New Role Capability and Session Configuration

Making a new role capability can seem daunting at first, but it’s can be broken into fairly simple steps:

1. Identify the tasks you need to enable

2. Restrict those tasks as necessary

3. Confirm they work with JEA

4. Put them in a Role Capability File

5. Register a Session Configuration that exposes that Role Capability

Step 1: Identify What Needs to Be Exposed

Before you make a new Role Capability or Session Configuration, you need to identify all of the things users will need to do through the JEA endpoint, as well as how to do them through PowerShell. This will involve a fair amount of requirement gathering and research.

How you go about this process will be dependent on your organization and goals. It is important to call out requirement gathering and research as a critical part of the real world process. This may be the most difficult step in the process of adopting JEA.

Find Resources

Here is a set of online resources that might have come up in your research on creating an Active Directory Toolkit:

· Active Directory PowerShell Overview

· CMD to PowerShell Guide for Active Directory

Make a List

Here is a set of ten actions that you will be working from in the remainder of this section. Keep in mind this is simply an example, your organizations requirements may be different:

Action	PowerShell Command
Account Unlock	Unlock-ADAccount
Password Reset	Set-ADAccountPassword and Set-ADUser -ChangePasswordAtLogon
Change a User’s Title	Set-ADUser -Title
Find AD Accounts that are locked out, disabled, inactive, etc.	Search-ADAccount
Add User to Group	Add-ADGroupMember -Identity (with whitelist) -Members
Remove User from Group	Remove-ADGroupMember -Identity (with whitelist) -Members
Enable a user account	Enable-ADAccount
Disable a user account	Disable-ADAccount

 

Step 2: Restrict Tasks as Necessary

Now that you have your list of actions, you need to think through the capabilities of each command. There are two important reasons to do this:

1. It is easy to expose give users more capabilities than you intend. For example, Set-ADUser is an incredibly powerful and flexible command. You may not want to expose everything it can do to help desk users. 

 

2. Even worse, it’s possible to expose commands that allow users to escape JEA’s restrictions. If this happens, JEA ceases to function as a security boundary. Please be careful when selecting commands. For example, Invoke-Expression will allow users to run unrestricted code. For more discussion on this topic, check out the Considerations When Restricting Commands section.

After reviewing each command, you decide to restrict the following:

1. Set-ADUser should only be allowed to run with the “-Title” parameter

2. Add-ADGroupMember and Remove-ADGroupMember should only work with certain groups

⇐ Предыдущая123456Следующая ⇒

Поделиться: