Adding and Using JEA in Your Windows Environment

Using JEA in Your Windows Environment:

When a User Group Has Unnecessary Admin Rights

Imagine this scenario: You are a systems engineer. You are tasked with managing user and group access controls. Your company’s two-person NOC team has admin rights to perform triage work. Eventually, you discover that your company is compromised and has been for an unknown length of time.

Forensic analysis identifies that one of the NOC admin accounts was used to create a rogue domain admin account. The attackers have admin rights over the domain and have been running rampant.

As a security consultant, I’ve seen many examples where the main breach happens because a user group has unnecessary administrative rights. In searching for a solution, my research brought me to Microsoft’s answer, Just Enough Administration (JEA).

Microsoft created JEA to adapt the principle of least privilege (POLP) to an administrator. This tool allows you to give a user specific administrative functions on a case-by-case scenario, while keeping this user in the parameters of that confined scenario.

JEA vs. Admin Accounts

Often admin groups are created for users who only need a limited set of admin functionality – yet their group membership has handed them the full keys to the digital kingdom. While this is the easiest and fastest way to get these employees the access required to do their jobs, this practice makes those users targets for phishing, social engineering and other internal or external attacks.

A popular example of the value of JEA is Edward Snowden. Snowden was given full administrative access to systems containing US government information – but he seemingly did not need that level of access to effectively perform his job duties. His case highlights the importance of the principle of least privilege. His admin role reportedly gave him full access to classified data.

How many companies have user groups with admin level credentials, with full access to documents, files, and more – which they do not need to be able to access in order to perform their job? JEA solves this problem: it enables you to give just enough access for a user to perform his/her duties without opening all doors unnecessarily.

Understanding JEA (Just-Enough-Administration)

But how does it work? JEA uses a session created by an administrator that can be accessed by any user or any user you specify.

The user simply logs into a running JEA session and they have the means to run commands directly permitted for anyone who accesses the session. JEA utilizes PowerShell which is provided as a Desired State Configuration (DSC) resource that configures devices with JEA endpoints (toolkits).

Each endpoint is a toolkit of well-defined cmdlets, functions, and parameters that connecting users can run. For example, you might configure a toolkit for SQL Server administrators that provides access to PowerShell cmdlets and functions required to manage SQL Server, another for IIS. Using JEA in Your Windows Environment.

References