Skip to content

Latest commit

 

History

History
 
 

jea

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
TOC.MD
TOC.MD
 
 
common-role-capability-pitfalls.md
common-role-capability-pitfalls.md
 
 
considerations-when-limiting-commands.md
considerations-when-limiting-commands.md
 
 
creating-a-domain-controller.md
creating-a-domain-controller.md
 
 
docfx.json
docfx.json
 
 
end-to-end---active-directory.md
end-to-end---active-directory.md
 
 
introduction.md
introduction.md
 
 
key-concepts-used-throughout-this-guide.md
key-concepts-used-throughout-this-guide.md
 
 
multi-machine-deployment-and-maintenance.md
multi-machine-deployment-and-maintenance.md
 
 
on-blacklisting.md
on-blacklisting.md
 
 
prerequisites.md
prerequisites.md
 
 
remake-the-demo-endpoint.md
remake-the-demo-endpoint.md
 
 
reporting-on-jea.md
reporting-on-jea.md
 
 
role-capabilities.md
role-capabilities.md
 
 
using-jea.md
using-jea.md
 
 

README.md

description manager ms.topic author ms.prod keywords ms.date title ms.technology
dongill
article
jpjofre
powershell
powershell,cmdlet,jea
2016-06-22
README
powershell

Just Enough Administration

Just Enough Administration (JEA) is a security technology that enables delegated administration for anything that can be managed with PowerShell. With JEA, you can:

  • Reduce the number of administrators on your machines by leveraging virtual accounts that perform privileged actions on behalf of regular users.
  • Limit what users can do by specifying which cmdlets, functions, and external commands they can run.
  • Better understand what your users are doing with "over the shoulder" transcriptions that show you exactly what commands a user executed during a session.

Why is this important?
Consider the common scenario where your DNS servers are co-located with your Active Directory Domain Controllers. Your DNS administrators need to have local administrator privileges to fix issues with the DNS server, but in order to do so you have to make them members of the highly privileged "Domain Admins" security group. This approach effectively gives DNS Administrators control over your whole domain and access to all resources on that machine.

With JEA in place, you can configure a role for your DNS administrators that gives them access to all the commands they need to get their job done, but nothing more. This means you can provide the appropriate access to repair a poisoned DNS cache without unintentionally giving them rights to Active Directory, or to browse the file system, or run potentially dangerous scripts. Better yet, when the JEA session is configured to use one-time privileged virtual accounts, your DNS administrators can connect to the server using unprivileged credentials and still be able to run privileged commands.

Availability

JEA is being developed in parallel to Windows Server 2016, and is available on older versions of Windows through Windows Management Framework updates. The current release of JEA is available on the following platforms:

Windows Server

Windows Client

* Support for virtual accounts in JEA sessions is currently not available on Windows Server 2008 R2 or Windows 7.

Explore the experience guide

Ready to learn how to author, deploy, and use your own JEA endpoint?

This guide gets you started quickly with a pre-built JEA endpoint to get an idea of what the end-user experience is like, then walks you through recreating an endpoint from scratch to help demonstrate concepts like session configurations and Role Capabilities.

  1. Introduction
    Briefly review why you should care about JEA

  2. Prerequisites
    Explains how to set up your environment

  3. Using JEA
    Helps you start by understanding the operator experience of using JEA

  4. Remake the Demo
    Create a JEA Session Configuration from scratch

  5. Role Capabilities
    Learn about how to customize JEA capabilities with Role Capability Files

  6. End to End - Active Directory
    Make a whole new endpoint for managing Active Directory

  7. Multi-machine Deployment and Maintenance
    Discover how deployment and authoring changes with scale

  8. Reporting on JEA
    Discover how to audit and report on all JEA actions and infrastructure

  9. Appendixes

Start authoring your own JEA endpoints

It's easy to author a JEA endpoint -- all you need is a JEA-enabled system and a text editor (like PowerShell ISE). One helpful tip to get started is to create skeleton files using New-PSRoleCapabilityFile -Path <path> and New-PSSessionCapabilityFile -Path <Path> without any other arguments. These skeleton files contain all of the applicable configuration fields along with helpful comments to explain what each field can be used for.

To make authoring JEA endpoints even easier, check out the JEA Toolkit Helper which provides a GUI with which you can author Session Configuration and Role Capability files. It even supports generating Role Capabilities based on PowerShell logs to start you off with the commands your users regularly run to get their jobs done.