JEA (Just Enought Administration) for DNS Server

Just Enough Administration (JEA) is security technology we can use to delegate enough administration rights to complete tasks that can manage through PowerShell.

By Implementing JEA we can accomplish following goals:

  • We can reduce the number of administrators for a server
  • Limit what users can do
  • Better understanding what administrators are doing

From this I’ll show how to implement a JEA for DNS Server.

First we have to login to DNS server (using PowerShell or RDP). For this demo I used PowerShell remoting. Enter the login credential if prompts

#Using PS Direct
Enter-PSSession -VMName col-dc1

#Using PS Remoting
Enter-PSSession -ComputerName col-dc1

Change the directory to PowerShell module folder and create a folder for DNS for this I created a folder called DNSOps

cd 'C:\ProgramFiles\WindowsPowerShell\Modules'
mkdir DNSops

Next create module manifest file. In this file we can provide general information about this module like description, minimum PoweShell Version required etc.

New-ModuleManifest .\DNSOps.psd1

Next We have to create a role capability file, which describe what someone can do in a JEA session. A role capability is a PowerShell data file with the .psrc extension that lists all the cmdlets, functions, providers, and external programs that should be made available to connecting users.

For the clarity I create a new folder called RoleCapability and create file there

New-PSRoleCapabilityFile -Path .\DNSOps.psrc

In Role Capability file I added following.We can do more granular settings from this file I just only add few. for more you can look in to docs.

# Cmdlets to make visible when applied to a session
# VisibleCmdlets = 'Invoke-Cmdlet1', @{ Name = 'Invoke-Cmdlet2'; Parameters = @{ Name = 'Parameter1'; ValidateSet = 'Item1', 'Item2' }, @{ Name = 'Parameter2'; ValidatePattern = 'L*' } }
VisibleCmdlets = @{Name= 'Restart-Service'; Parameters = @{ Name='Name' ; Validateset = 'DNS'}}

# Functions to make visible when applied to a session
# VisibleFunctions = 'Invoke-Function1', @{ Name = 'Invoke-Function2'; Parameters = @{ Name = 'Parameter1'; ValidateSet = 'Item1', 'Item2' }, @{ Name = 'Parameter2'; ValidatePattern = 'L*' } }
VisibleFunctions = 'Add-DnsServerResourceRecord','Clear-DnsServerCache','Get-DnsServerResourceRecord','Remove-DnsServerResourceRecord'

# External commands (scripts and applications) to make visible when applied to a session
# VisibleExternalCommands = 'Item1', 'Item2'
VisibleExternalCommands = 'C:\Windows\System32\whoami.exe'

VisibleCmdlets – From here we can define which commands are applied to session starts In this example I only allow to restart the DNS service only if the administrator try to restart any other service he will denied.

VisibleFunctions –From here we can define which functions are allowed for the session in PowerShell Cmdlets are made from functions so in here I define DNS cmdlets allowed for this.

VisibleExternalCommands – From here we can define any external commands that not in PowerShell for this I allowed Whoami command.

Next we need to create a session capability file.Session configurations determine who can use the JEA endpoint, and which role(s) they will have access to. They also define global settings that apply to users of any role in the JEA session.

New-PSSessionConfigurationFile .\DNSOps.pssc

In Session Configuration file I added following.Refer the docs for more info.

# Whether to run this session configuration as the machine's (virtual) administrator account
RunAsVirtualAccount = $true

# User roles (security groups), and the role capabilities that should be applied to them when applied to a session
# RoleDefinitions = @{ 'CONTOSO\SqlAdmins' = @{ RoleCapabilities = 'SqlAdministration' }; 'CONTOSO\ServerMonitors' = @{ VisibleCmdlets = 'Get-Process' } }
RoleDefinitions = @{'AD\DNSops' = @{RoleCapabilities = 'DNSOps'}}

In above I enable to use a virtual account replace of the domain account and assign the define role capabilities to the domain group named DNSops.

There is one more thing we need to do before test this, we need to register this session configuration so let’s do it first.

Register-PSSessionConfiguration -Name DNSOps -Path .\DNSOps.pssc

After the command completed we can see the session registered as follows

Now I’ll login to the DNS server as james which he is a member of the DNSOps AD group.

Enter-PSSession -ComputerName col-dc1 -ConfigurationName DNSOps -Credential ad\james

When I login to the server and see the user we can see that we login to the server as the virtual user.

Now lets verify which commands we are allowed in this session. As you see bellow when I enter Get-Command I can only see few commands that allowed from the role capability settings.