Just Enough Administration (JEA) Configuration

What is Just Enough Administration (JEA)?

Just Enough Administration (JEA) is a security technology that enables delegated administration for anything managed by PowerShell. JEA uses PowerShell's Remoting and Constrained Endpoints to reduce risk by limiting what users can do.

Benefits of JEA

• Reduces the number of administrators in your environment
• Limits the scope of administrative powers
• Helps achieve compliance by providing audit logs of administrative actions
• Improves security by reducing attack surface

JEA Configuration Steps

1. 1. Enable PowerShell Remoting

   Run the following command in an elevated PowerShell prompt:

   Enable-PSRemoting -Force

2. 2. Create a JEA Role Capability File

   Create a new PowerShell script file with a .psrc extension, for example:

   New-PSRoleCapabilityFile -Path "C:\JEA\ADUserManagement.psrc"

   Edit the file to define allowed cmdlets, functions, and parameters.

3. 3. Create a JEA Session Configuration File

   Create a PowerShell session configuration file:

   New-PSSessionConfigurationFile -Path "C:\JEA\ADUserManagement.pssc"

   Edit the file to specify role definitions and session settings.

4. 4. Register the JEA Configuration

   Register the session configuration:

   Register-PSSessionConfiguration -Path "C:\JEA\ADUserManagement.pssc" -Name "ADUserManagement" -Force

5. 5. Grant Users Access to the JEA Endpoint

   Use Set-PSSessionConfiguration to grant users or groups access:

   Set-PSSessionConfiguration -Name "ADUserManagement" -ShowSecurityDescriptorUI

Example: JEA for Active Directory User Management

Here's a basic example of a role capability file for AD user management:

@{
  VisibleCmdlets = @(
    'Get-ADUser',
    @{ Name = 'Set-ADUser'; Parameters = @{ Name = 'GivenName'; ValidateSet = @('*') } },
    @{ Name = 'Set-ADUser'; Parameters = @{ Name = 'Surname'; ValidateSet = @('*') } },
    'Unlock-ADAccount'
  )
  VisibleFunctions = 'Get-ADUserStatus'
}
  

This configuration allows users to view AD users, change first and last names, and unlock accounts.

Best Practices for JEA

• Use separate JEA endpoints for different administrative tasks
• Implement strict auditing and logging for JEA sessions
• Regularly review and update JEA configurations
• Use parameter validation to further restrict allowed actions
• Combine JEA with Privileged Identity Management (PIM) for enhanced security

Troubleshooting JEA

• Use Get-PSSessionConfiguration to verify registered configurations
• Check event logs for PowerShell related events
• Use Test-PSSessionConfigurationFile to validate configuration files
• Enable PowerShell script block logging for detailed auditing