JEA - Securing Endpoints

Tagged: 

This topic contains 6 replies, has 4 voices, and was last updated by Profile photo of Liam Kemp Liam Kemp 3 months, 3 weeks ago.

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts
  • #38833
    Profile photo of Rhys Gottwald
    Rhys Gottwald
    Participant

    I want to start with JEA, I just cannot seem to find out how to allow, or disallow users from connecting to the Toolkit.

    Then as a side note, when they say that JEA with delete all existing endpoints, will that disable things like PSWA and remoting, or are these not seen as an endpoint.

    TIA

    #38859
    Profile photo of Don Jones
    Don Jones
    Keymaster

    JEA won't delete the default endpoints. JEA _uses_ Remoting, so it's obviously not going to entirely disable Remoting. PSWA can use whatever endpoint you tell it to, and it defaults to the default endpoint.

    Depending on which version of JEA you're using, you specify an SDDL (Security Descriptor Definition Language) to specify who can connect.

    #38885
    Profile photo of Rhys Gottwald
    Rhys Gottwald
    Participant

    Thank you Don, just a follow up on your reply,
    1. How do I set who can connect,
    2. From PSWA, is the default endpoint the "sys admin", fill access endpoint?

    Thank you

    #38890
    Profile photo of Don Jones
    Don Jones
    Keymaster

    There is no "sys admin" endpoint, no. If you run Get-PSSessionConfiguration on a computer, you should see a session configuration (endpoint) named "Microsoft.PowerShell,' I think. That's the default endpoint. If you mean, "is this the default endpoint that's wide-open that sys admins usually use," then yes.

    "How do I set who can connect" is different in different versions of JEA. For one, you might consider using the JEA Toolkit Helper (https://blogs.technet.microsoft.com/privatecloud/2014/10/24/introducing-the-jea-toolkit-helper/), which GUIs this a bit. This will lt you specify users and groups, and translate them to the necessary SDDL that JEA needs. If you aren't familiar with SDDL, you should use this.

    If you look at https://msdnshared.blob.core.windows.net/media/TNBlogsFS/prod.evol.blogs.technet.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/00/85/24/metablogapi/image_1C8676B7.png, the "SecurityDescriptorSddl" property is how you control who can connect. As you can see, this is a lot more complex than just listing a user name or group name, which is why people like using the GUI helper.

    #38908
    Profile photo of Ryan Puffer
    Ryan Puffer
    Participant

    Hi Rhys,

    Which version of PowerShell are you using? Don's suggestions apply to all versions of JEA, but if you're using the latest version (Windows 10, Windows Server 2016 TP4+, or an older system with Windows Management Framework 5.0 installed), specifying who has access to your JEA endpoint is much easier. We split the configuration into two distinct files: role capabilities (what someone can do if they are assigned this role) and session configurations (who has access to which roles). In the session configuration file, you can simply include your user->role mappings in the RoleDefinitions field:

    RoleDefinitions = @{ 'domain\group' = @{ RoleCapabilities = 'Role1', 'Role2' } }
    

    We handle the SDDL string creation from there when you run Register-PSSessionConfiguration. A detailed walkthrough that can help you get started with JEA is available at http://aka.ms/JEA.

    Let me know if you have any other questions or need more help with the SDDL/RoleDefinitions field. I'd be happy to assist.

    Ryan

    #38921
    Profile photo of Rhys Gottwald
    Rhys Gottwald
    Participant

    Thank you for the feedback, I will play with this all a bit more during the week and come back to you. It is making sense now.

    Ryan I am on W2012R2 and WMF5

    #41591
    Profile photo of Liam Kemp
    Liam Kemp
    Participant

    Hi Rhys,
    I'm also getting started with JEA – As Ryan said, the latest incarnation, which you have – is much easier than the prior ones. It's even easier if you watch Ryan's Play-by-Play on pluralsight that was released only a week or so ago (If you aren't pluralsight customer – I'd really recommend signing up for the trial at the very least, just to watch this.)
    https://www.pluralsight.com/courses/play-by-play-just-enough-administration
    Liam

    • This reply was modified 3 months, 3 weeks ago by Profile photo of Liam Kemp Liam Kemp.
Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.