Just Enough Administration (JEA)

Just Enough Administration (JEA) is a security technology that enables delegated administration for anything managed by PowerShell. With JEA, you can:

  • Reduce the number of administrators on your machines using virtual accounts or group-managed service accounts to perform privileged actions on behalf of regular users.

  • Limit what users can do by specifying which cmdlets, functions, and external commands they can run.

  • Better understand what your users are doing with transcripts and logs that show you exactly which commands a user executed during their session.

Viewing PSSession configuration

Get-PSSessionConfiguration

Get the capabilities of the PSSession

Get-PSSessionCapability [Name]

Abusing capabilities

Set-PSSessionConfiguration

The Set-PSSessionConfiguration cmdlet changes the properties of the session configurations on the local computer.

With Set-PSSessionConfiguration you are able to add permission to PSSessions configurations. 

# The identity to add permissions for 
$Identity = "domain\vanessa"


# The configuration name to change permissions to (default is 'microsoft.powershell')
$sessionConfigurationName = 'ITAccess'


# Get the current permissions on the default endpoint
$sddl = (Get-PSSessionConfiguration -Name $sessionConfigurationName).SecurityDescriptorSddl


# Build the new Access Control Entry object
$rights = -1610612736 # AccessAllowed
$IdentitySID = ((New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList $Identity).Translate(
	[System.Security.Principal.SecurityIdentifier])).Value

$newAce = New-Object System.Security.AccessControl.CommonAce(
	[System.Security.AccessControl.AceFlags]::None,
	[System.Security.AccessControl.AceQualifier]::AccessAllowed,
	$rights, $IdentitySID, $false, $null
)


# Prepare the RawSecurityDescriptor
$rawSD = New-Object -TypeName System.Security.AccessControl.RawSecurityDescriptor -ArgumentList $sddl
if ($rawSD.DiscretionaryAcl.GetEnumerator() -notcontains $newAce) {
	$rawSD.DiscretionaryAcl.InsertAce($rawSD.DiscretionaryAcl.Count, $newAce)
}
$newSDDL = $rawSD.GetSddlForm([System.Security.AccessControl.AccessControlSections]::All)


# Set the PSSessionConfiguration permissions
Set-PSSessionConfiguration -Name $sessionConfigurationName -SecurityDescriptorSddl $newSDDL


# Verify permissions were added
(Get-PSSessionConfiguration -Name $sessionConfigurationName).Permission -split ', '

References

PreviousConstrained Language ModeNextScriptBlockLogging

Last updated