|
Архитектура Аудит Военная наука Иностранные языки Медицина Металлургия Метрология Образование Политология Производство Психология Стандартизация Технологии |
|
|
Архитектура Аудит Военная наука Иностранные языки Медицина Металлургия Метрология Образование Политология Производство Психология Стандартизация Технологии |
Step 5: Register a New Session Configuration
Next, you will create a new session configuration file that will expose your new role capability to members of the JEA_NonAdmin_HelpDesk group. STEP 1: Create and open a new blank Session Configuration File in PowerShell ISE. New-PSSessionConfigurationFile -Path " $env: ProgramData\JEAConfiguration\HelpDeskDemo.pssc" ISE " $env: ProgramData\JEAConfiguration\HelpDeskDemo.pssc" STEP 2: Modify the following fields to the following values. If you are working in your own environment, replace this with your own non-administrator user or group:
STEP 3: Save and Register the Session Configuration Register-PSSessionConfiguration -Name ADHelpDesk -Path " $env: ProgramData\JEAConfiguration\HelpDeskDemo.pssc"
Test It Out! STEP 1: Get your non-administrator user credentials. $HelpDeskCred = Get-Credential
· Username = “HelpDeskUser” · Password = “pa$$w0rd”
STEP 2: Remote into the machine as you did before. Enter-PSSession -ComputerName. -ConfigurationName ADHelpDesk -Credential $HelpDeskCred STEP 3: Use Set-ADUser to reset a user’s title.
Set-ADUser -Identity OperatorUser -Title Engineer
STEP 4: Verify that the title has changed.
Get-ADUser -Identity OperatorUser -Property Title
STEP 5: Use Add-ADGroupMember to add a user to the TestGroup. Note: make sure you’ve created the TestGroup beforehand.
Add-ADGroupMember TestGroup -Member OperatorUser -Verbose
STEP 6: Exit the session:
Exit-PSSession
Key Concepts NoLanguage Mode: When PowerShell is in “NoLanguage” mode, users may only run commands; they cannot use any language elements. For more information, run Get-Help about_Language_Modes.
RunAsVirtualAccountGroups: You can use this element to set the permissions of the “RunAs” Virtual Account. The token created for the Virtual Account will appear to PowerShell Functions: PowerShell functions are bits of PowerShell code that you can call by name. For more information, run Get-Help about_Functions.
ValidateSet/ValidatePattern: When exposing a command, you can restrict valid arguments for specific parameters. A ValidateSet is a specific list of valid commands. A ValidatePattern is a regular expression that the arguments for that parameter must match. Multi-machine Deployment and Maintenance At this point, you have deployed JEA to local systems several times. Because your production environment probably consists of more than one machine, it’s important to walk through the critical steps in the deployment process. High Level Steps: 1. Copy your modules (with role capabilities) to each node. 2. Copy your session configuration files to each node. 3. Run Register-PSSessionConfiguration with your session configuration. 4. Keep a copy of your session configuration and toolkits in a secure location. As you make modifications, it’s good to have a “single source of truth.” Example Script Here’s an example script for deployment. To use it in your environment, you’ll have to use the names/paths of real file shares and modules. # First, copy the session configuration and modules (containing role capability files) onto a file share you have access to. Copy-Item -Path 'C: \Demo\Demo.pssc' -Destination '\\FileShare\JEA\Demo.pssc' Copy-Item -Path 'C: \Program Files\WindowsPowerShell\Modules\SomeModule\' -Recurse -Destination '\\FileShare\JEA\SomeModule'
# Second, author a setup script (C: \JEA\Deploy.ps1) to run on each individual node # Contents of C: \JEA\Deploy.ps1 New-Item -ItemType Directory -Path C: \JEADeploy Copy-Item -Path '\\FileShare\JEA\Demo.pssc' -Destination 'C: \JEADeploy\' Copy-Item -Path '\\FileShare\JEA\SomeModule' -Recurse -Destination 'C: \Program Files\WindowsPowerShell\Modules' # Remember, Role Capability Files are found in modules if(Get-PSSessionConfiguration -Name JEADemo -ErrorAction SilentlyContinue) { Unregister-PSSessionConfiguration -Name JEADemo -ErrorAction Stop }
Register-PSSessionConfiguration -Name JEADemo -Path 'C: \JEADeploy\Demo.pssc' -SecurityDescriptorSddl 'SDDL From Single Machine Deployment Here' Restart-Service 'WinRM' Remove-Item -Path 'C: \JEADeploy' #Don't forget to clean up!
# Third, invoke the script on all of the target machines. # Note: this requires PowerShell Remoting be enabled on each machine. Enabling PowerShell remoting is a requirement to use JEA as well. Invoke-Command –ComputerName 'Node1', 'Node2', 'Node3', 'NodeN' -FilePath 'C: \JEA\Deploy.ps1'
# Finally, delete the session configuration and role capability files from the file share. Remove-Item -Path '\\FileShare\JEA\Demo.pssc' Remove-Item -Path '\\FileShare\JEA\SomeModule' -Recurse
Modifying Capabilities When dealing with many machines, it’s important that modifications are rolled out in a consistent manner. Once JEA has DSC Resources, this will help ensure your environment is in sync. Until that time, we highly recommend you keep a master copy of your session configurations and redeploy each time you make a modification. Removing Capabilities To remove JEA from your systems, use the following command on each machine: Unregister-PSSessionConfiguration -Name JEADemo Reporting on JEA Because JEA allows non-privileged users to run in a privileged context, logging and auditing are extremely important. In this section, we’ll run through the tools you can use to help you with logging and reporting. Reporting on JEA Actions |
Последнее изменение этой страницы: 2019-05-04; Просмотров: 192; Нарушение авторского права страницы