Operations auditors need access to verify server logs, but they shouldnt be able
to make changes to settings or information on the server. When used as a way to
provide access to server logs, unrestricted administrative access opens the
opportunity for auditors to inadvertently make changes to business-critical
systems.
Helpdesk or front-line administrators are responsible for basic troubleshooting
tasks on a server, or server instance, but shouldnt have full administrative
access to the server itself.
A server operator who is expected to apply the latest security updates typically
requires total control over the application server, either directly or through a
tool. In addition, the operator may need to complete other tasks such as
starting or stopping services or restarting hardwarebefore and after applying
updates to system components. This full control could result in inappropriate
service shutdowns or restarts.
In an RBAC model, its hard to grant access to a service provider that is
Page 2|Just Enough Administration: Windows PowerShell security controls help protect enterprise
data
Users can perform only those tasks for which they are authorized as part of their
role by using Windows PowerShell constrained run spaces.
Users can perform required tasks without being given administrator rights on the
server.
The tasks that users are allowed to perform, and their server access, are defined
and managed from a central configuration server by using Windows PowerShell
Desired State Configuration (DSC).
Constant, detailed logging gives details about who has accessed the
environment and whats been changed.
Role Capability files. These files let you specify what actions users in a
particular role can perform. For instance, you can restrict them to using
certain cmdlets, functions, providers, and external programs. Role Capability
files are often generic for a particular role (such as DNS admin, tier 1
helpdesk, read-only inventory auditing). They are part of PowerShell modules,
and you can easily share them with others.
An example of JEA
Suppose you have users in your organization who are part of Tier 1 frontline support. These users
typically troubleshoot and perform routine tasks to help resolve issues. They can use many of
PowerShells diagnostic cmdlets to perform their troubleshooting, while having limited ability to add,
remove, or change objects.
To support such users, you can take advantage of the updated JEA Helper Tool, which helps you easily
create an endpoint definitionusing a graphical user interface (GUI). This tool guides you through
creating and deploying your own Session Configuration and Role Capability files. You can use any
cmdlets, and specify any roles, security groups, and individuals assigned to a particular role.
Benefits of JEA
Reduce the number of administrators in your environment. JEA enables
administration and management of computers without the need for privileged
credentials.
Easily create and configure your own endpoints. Set up your non-
administrators to perform specified commands, functions, scripts, and
executables as if they were administrators. With new role definitions, virtual
accounts, and other improvements, its now even easier to create and configure
endpoints, by using the JEA Toolkit Helper.
Limit what users can do, with control. Decide precisely what actions youll
let your users carry out; for instance, which cmdlets, functions, and external
commands they can run. JEA eliminates the need for elevated, privileged
administrator credentials that can be lost, stolen, or misused.
See what users are doing, with actionable logging and reporting. All
operations performed through the JEA endpoint can be recorded in the
Windows event log. These event logs show who accessed the environment
and when, and what changes were made.
Challenges
The primary challenge that Microsoft IT has faced while implementing JEA has been that many
administrators are still accustomed to using GUIs rather than the Windows PowerShell command-line
shell and scripting environment. Windows PowerShell uses common cmdlets to perform common
system administration tasks, such as managing the registry, services, processes, and event logs, and
using Windows Management Instrumentation (WMI). Beyond using JEA Windows PowerShell security
controls to help protect servers in the enterprise, Windows PowerShell proficiency is quickly becoming
a necessity in administering Windows-based systems. Although its a worthwhile time investment, this
learning curve has influenced how quickly JEA can be implemented across the production environment.
Get JEA
The current release of JEA is available on the following platforms:
Windows Server
Microsoft IT Showcase
microsoft.com/itshowcase
2016 Microsoft Corporation. All rights reserved. Microsoft and Windows are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies
and products mentioned herein may be the trademarks of their respective owners. This document is for
informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.