Powershell JEA

Just Enough Admin (JEA)

High privilege access to machines via PowerShell is a security risk. JEA allows access to only the commands and components of Powershell needed to perform a task and no more.

It accomplishes this through the combination of a role capability file and a session configuration file.

Role Capability

The role capability file determines WHAT can be done. It is created using the command:

New-PSRoleCapabilityFile -Path .\MyFirstJEARole.psrc

Session Configuration

The Session Configuration file determines WHO can perform the role. It is created using the command:

New-PSSessionConfigurationFile -SessionType RestrictedRemoteServer -Path .\MyJEAEndpoint.pssc

Once the session configuration file has been created and edited, it can be tested with:

Test-PSSessionConfigurationFile

Finally the configuration file can be registered using:

Register-PSSessionConfiguration -Path .\MyJEAConfig.pssc -Name 'JEAMaintenance' -Force

Once registered a user with the specified role can access PowerShell on the JEA Endpoint with:

$nonAdminCred = Get-Credential
Enter-PSSession -ComputerName localhost -ConfigurationName JEAMaintenance -Credential $nonAdminCred

DM1 v1.2.0.0