AUTHORS NOTE: THERE IS A KNOWN ISSUE WITH THE CREDENTIALS PROVIDED NOT BEING USED. TO BE SAFE, DON’T FORGET YOUR LOCAL ADMIN PASSWORD.

Set-Item WSMan: \localhost\Client\TrustedHosts -Value $env: COMPUTERNAME -Force

 

# This " MetaConfiguration" sets the DSC Engine to automatically reboot if required

[DscLocalConfigurationManager()]

Configuration MetaConfiguration

{

Node $env: Computername

{

   Settings

   {

       RebootNodeIfNeeded = $true

   }

}

   

}

 

MetaConfiguration

# Apply the MetaConfiguration

Set-DscLocalConfigurationManager.\MetaConfiguration

 

# Configure a domain controller of a new " Contoso" domain

configuration DomainController

{

param

(

   $node,

   $cred

)

Import-DscResource -ModuleName xActiveDirectory

 

Node $node

{

   WindowsFeature ADDS

   {

       Ensure = 'Present'

       Name = 'AD-Domain-Services'

   }

 

   xADDomain Contoso

   {

       DomainName = 'contoso.com'

       DomainAdministratorCredential = $cred

       SafemodeAdministratorPassword = $cred

       DependsOn = '[WindowsFeature]ADDS'

   }

 

   file temp

   {

       DestinationPath = 'C: \temp.txt'

       Contents = 'Domain has been created'

       DependsOn = '[xADDomain]Contoso'

   }

}

}

 

$ConfigData = @{

AllNodes = @(

   @{

       NodeName = $env: Computername

       PSDscAllowPlainTextPassword = $true

   }

)

}

 

# Enter your desired password for the domain administrator (note, this will be stored as plain text)

DomainController -cred (Get-Credential -Message " Enter desired credential for domain administrator" ) -node $env: Computername -configurationData $ConfigData

# Apply the configuration to create the domain controller

Start-DSCConfiguration -path.\DomainController -ComputerName $env: Computername -Wait -Force -Verbose

 

Your machine will restart a few times. You will know the process is complete once you see a file called “C: \temp.txt” containing “Domain has been created.”

How to Install xActiveDirectory

If your machine has an active internet connection, run the following command in an Administrator PowerShell window:

Install-Module xActiveDirectory -Force

 

If you do not have an internet connection, install xActiveDirectory to another machine and then copy the xActiveDirectory folder to the “C: \Program Files\WindowsPowerShell\Modules” folder on your TP3 machine.

To confirm the installation, run the following command:

Get-Module xActiveDirectory -ListAvailable

 

Set up Users and Groups

If you created a domain from scratch (as per the Creating a Domain Controller section), you can use this section to create a few non-administrator groups and users.

#Make Groups

$NonAdminOperatorGroup = New-ADGroup -Name " JEA_NonAdmin_Operator" -GroupScope DomainLocal -PassThru

$NonAdminHelpDeskGroup = New-ADGroup -Name " JEA_NonAdmin_HelpDesk" -GroupScope DomainLocal -PassThru

$TestGroup = New-ADGroup -Name " Test_Group" -GroupScope DomainLocal -PassThru

#Make Users

$OperatorUser = New-ADUser -Name " OperatorUser" -AccountPassword (ConvertTo-SecureString " pa`$`$w0rd" -AsPlainText -Force) -PassThru

Enable-ADAccount -Identity $OperatorUser

$HelpDeskUser = New-ADUser -name " HelpDeskUser" -AccountPassword (ConvertTo-SecureString " pa`$`$w0rd" -AsPlainText -Force) -PassThru

Enable-ADAccount -Identity $HelpDeskUser

#Add Users to Groups

Add-ADGroupMember -Identity $NonAdminOperatorGroup -Members $OperatorUser

Add-ADGroupMember -Identity $NonAdminHelpDeskGroup -Members $HelpDeskUser

New-ADGroup TestGroup -GroupScope DomainLocal

 

 

On Blacklisting

After playing around with JEA, many customers ask about blacklisting commands. This is an understandable request, but it is not going to happen anytime soon. There are three primary reasons for this.

1. We designed JEA to limit operators to only the actions they need to do. A blacklist is the opposite.

 

2. PowerShell command authors did not design PowerShell commands with the JEA in mind. On a fresh install of Windows Server 2016 TP3, there are about 1520 commands immediately available. The threat models for these commands did not include the possibility that a user would be running commands as a more privileged account. For example, certain commands allow for code injection by design (e.g. Add-Type and Invoke-Command in the core PowerShell module). JEA can warn you when you expose the specific commands we know about, but we have not re-assessed every other command in Windows based on the new threat model. You must understand the capabilities of the commands you exposing through JEA.

 

3. Furthermore, even if JEA blocked all commands with code-injection vulnerabilities, there is no guarantee that a malicious user would not be able to carry out a blacklisted action with another related command. Unless you understand all of the commands that you are exposing – it is impossible for you to guarantee that a certain action is not possible.

The burden is on you to understand what commands you are exposing, whether they are using a whitelist or a blacklist. The number of commands a blacklist would expose is unmanageable, so JEA does not allow blacklists.

⇐ Предыдущая123456

Поделиться: