eugenesergeev - Fotolia

Get started Bring yourself up to speed with our introductory content.

Control IT access with Windows JEA PowerShell toolkit

Just Enough Administration restricts administrative access to the bare necessities for user tasks, giving organizations more control over security.

IT security professionals often talk about servers and applications in terms of an attack surface. Although a great deal of work often goes into hardening operating systems and applications to reduce that potential attack surface, it is possible for the IT staff to become the attack surface.

Many cyberattacks make use of malware to gain access to the system that is being attacked. Like any other piece of software, malware is limited by its current security context. For example, a piece of malware that someone with basic user rights accidentally runs will likely do far less damage than might occur if the user who launched the malware was an administrator.

Just enough permissions with JEA Powershell toolkit

IT professionals have long accepted the idea that the removal of administrative rights improves security. However, stripping the entire IT staff of their administrative access is not a practical option. IT staff members must have the necessary permissions in order to do their jobs.

This is where Just Enough Administration comes into play. Just Enough Administration (JEA) is a PowerShell toolkit designed to help an organization improve its overall security by restricting administrative access.

JEA is a form of role-based access control. The idea is to grant IT staff members exactly the level of permissions they need to do their jobs -- nothing more, nothing less. Even so, JEA is different from traditional role-based access control, which is typically based around an elaborate set of permissions. In contrast, JEA is based around restricting the PowerShell cmdlets that a particular user is allowed to run and then preventing the user from connecting to the target server as an administrator.

Use Run As account instead of managing permissions

This raises the question of how a standard user can perform administrative tasks without using administrative permissions. The key to understanding how this works is to realize that the user never logs onto the server console directly. Instead, the user logs onto a standard workstation and then uses the JEA PowerShell toolkit to establish a remote session with the server that they are managing. The user logs in using their own limited credentials, but makes use of a Run As account to perform any actions requiring elevated permissions.

On the surface the use of a Run As account might not seem any better than granting administrative permissions to the user's account. However, there is a very important distinction between the two accounts. A user account that has been granted administrative privileges is essentially a domain administrator. The Run As account used by JEA is local to the server being managed. The account does not have domain admin privileges, which means the user is never transmitting domain level administrative credentials across the network.

The Just Enough Administration PowerShell toolkit doesn't just rely on a creative use of accounts to improve security. It also restricts the PowerShell cmdlets the user is allowed to run. This ensures that the user is able to run the cmdlets required for them to do his job, but no extra cmdlets.

Just Enough Administration involves creating a remote session to the server that is being managed. PowerShell remoting sessions can be restricted through the use of a session configuration file or through a script. The Just Enough Administration toolkit allows these restrictions to be configured through a simple text file that controls which PowerShell cmdlets the user will be authorized to run. The Just Enough Administration toolkit can also be set up to perform auditing. That way, if a user were to attempt an unauthorized action, the action would be blocked and logged for later review.

The Just Enough Administration toolkit can greatly improve security in organizations in which certain users are required to perform a very specific set of administrative tasks. The primary disadvantage to using this toolkit is that it is PowerShell oriented. PowerShell is capable of being used as an administrative tool, but there will likely be a learning curve for the users who will be using it.

Next Steps

Vital Windows Server 2016 security updates

Benefits of Microsoft Identity Manager 2016

Use PowerShell Server Manager to manage multiple servers

Windows Server 2016 security updates that are vital to your enterprise


Dig Deeper on Windows Server troubleshooting