Testing

JEA comes with three demo endpoint configurations, which we can use as references to create the endpoint. These demo files are also located at C:ProgramFilesWindowsPowerShellModulesxJea.2.16.6Examples and Demo1.ps1 which include the following:

cls configuration Demo1
{
  Import-DscResource -module xjea
  xJeaToolKit Process
  {
    Name         = 'Process'
    CommandSpecs = @"Name,Parameter,ValidateSet,ValidatePattern Get-Process 
    Get-Service Stop-Process,Name,calc;notepad 
    Restart-Service,Name,,^A"@
  }
  xJeaEndPoint Demo1EP
  {
    Name                   = 'Demo1EP'
    Toolkit                = 'Process'
    SecurityDescriptorSddl = 
      'O:NSG:BAD:P(A;;GX;;;WD)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)'                     
    DependsOn              = '[xJeaToolKit]Process'
  }
}
Demo1 -OutputPath C:JeaDemo

Start-DscConfiguration -Path C:JeaDemo -ComputerName localhost -Verbose -wait -debug -ErrorAction SilentlyContinue -ErrorVariable errors
if($errors | ? FullyQualifiedErrorId -ne 'HRESULT 0x803381fa')
{
    $errors | Write-Error    
}

start-sleep -Seconds 30 #Wait for WINRM to restart

$s = New-PSSession -cn . -ConfigurationName Demo1EP
Invoke-command $s {get-command} |out-string
Invoke-Command $s {get-command stop-process -Syntax}
# Enter-pssession $s
Remove-PSSession $s
#EOF
The aforementioned script is displayed in an easy way for readers to understand. When it is used in PowerShell make sure to prevent extra line spaces.

As per the endpoint configuration, users are allowed to use only the following cmdlets:

  • Get-Process
  • Get-Service
  • Stop-Process,Name,calc;notepad
  • Restart-Service,Name,^A

According to the preceding Stop-Process cmdlet, it can only be used to stop calculator and notepad processes. But it allows you to use the Restart-Service, Get-Process, and
Get-Service cmdlets without limitation.

In order to deploy the endpoint, we can use .Demo1.ps1:

Once it's successfully executed, we can verify the new PowerShell session configuration using this:

Get-PSSessionConfiguration

The following screenshot show output for the preceding command:

The next step is to connect to a new endpoint. This can be done using the following:

Enter-PSSession –ComputerName localhost –ConfigurationName demo1ep

In the preceding command –ConfigurationName, defines the endpoint name.

As soon as we run the command, system is connected to the endpoint and changes the path to C:UsersJSA-Demo1EPDocuments:


This user is set up as part of the installation process by JEA. It is the PowerShell session account. This account is part of the local administrator group too:

The following figure confirms the members of the local Administrators security group:

Once the session is connected, we can test it with an allowed command first. According to the configuration, we are allowed to run the Get-Service command without any limits:

The user I logged in to this computer is a local administrator. So, I have enough privileges to restart the computer using the Restart-Computer cmdlet. But when I use the command through the endpoint, it should not allow me to do so according to the endpoint configuration:

So, it is working as expected. Users are allowed to use only the command permitted by the endpoint configuration. This configuration is not going to be valid for another computer unless the same endpoint configuration is used.

The Demo2.ps1 endpoint configuration is focused on the file server administrator:

cls
configuration Demo2
{
  Import-DscResource -module xjea

  xJeaToolKit SMBGet
  {
    Name = 'SMBGet'
    CommandSpecs = @" Module,Name,Parameter,ValidateSet,ValidatePattern
      SMBShare,get-* "@
  }
  xJeaEndPoint Demo2EP
  {
    Name = 'Demo2EP'
    Toolkit = 'SMBGet'
    SecurityDescriptorSddl = 'O:NSG:BAD:P(A;;GX;;;WD)S:P(AU;FA;GA;;;WD)
      (AU;SA;GXGW;;;WD)' 
    DependsOn = '[xJeaToolKit]SMBGet'
  }
}

Demo2 -OutputPath C:JeaDemo
Start-DscConfiguration -Path C:JeaDemo -ComputerName localhost -Verbose ` -wait -debug -ErrorAction SilentlyContinue -ErrorVariable errors
if($errors | ? FullyQualifiedErrorId -ne 'HRESULT 0x803381fa')
{
 $errors | Write-Error 
}

start-sleep -Seconds 30 #Wait for WINRM to restart

$s = New-PSSession -cn . -ConfigurationName Demo2EP
Invoke-command $s {get-command} |out-string
# Enter-pssession $s

Remove-PSSession $s
#EOF
The aforementioned script is displayed in an easy way for readers to understand. When it is used in PowerShell make sure to prevent extra line spaces.

As per the preceding script, system will allow you to use the following cmdlets list without restriction:

  • SMBShare
  • get-*

The following screenshot show output for the Get-PSSessionConfiguration command:

We can connect to the second endpoint using the following:

Enter-PSSession –ComputerName localhost –ConfigurationName demo2ep

Once connected, Get-Command lists all the available commands in the endpoint:

As expected, it is allowing you to run only the allowed cmdlets. In this test, we have used the Get-SMBshare cmdlet, which is allowed, and Restart-Computer, which isn't allowed:


Demo3.ps1 provides the endpoint to manage and navigate through the filesystem:

cls configuration Demo3
{
  Import-DscResource -module xjea
  xJeaToolKit FileSystem
  {
    Name = 'FileSystem'
    CommandSpecs = @" Module,name,Parameter,ValidateSet,ValidatePattern,
      Get-ChildItem,Get-Item,Copy-Item,Move-Item,Rename-Item,
      Remove-Item,Copy-ItemProperty,Clear-ItemProperty,Move-ItemProperty,
      New-ItemProperty,Remove-ItemProperty,Rename-ItemProperty,Set-ItemProperty,
      Get-Location,Pop-Location,Push-Location,Set-Location,Convert-Path,
      Join-Path,Resolve-Path,Split-Path,Test-Path,Get-PSDrive,New-PSDrive,
      out-file "@
    Ensure = 'Present' 
  }
 
  xJeaEndPoint Demo3EP
  {
     Name = 'Demo3EP'
     ToolKit = 'FileSystem'
     Ensure = 'Present'
     DependsOn = '[xJeaToolKit]FileSystem'
  }
}

Demo3 -OutputPath C:JeaDemo

Start-DscConfiguration -Path C:JeaDemo -ComputerName localhost -Verbose ` -wait -debug -ErrorAction SilentlyContinue -ErrorVariable errors
if($errors | ? FullyQualifiedErrorId -ne 'HRESULT 0x803381fa')
{
 $errors | Write-Error 
}

start-sleep -Seconds 30 #Wait for WINRM to restart
# This endpoint allows you to navigate the filesystem but not see 
# the CONTENTS of any of the files
$s = New-PSSession -cn . -ConfigurationName Demo3EP
Invoke-command $s {dir 'C:Program FilesJeaActivityActivityLog.csv'} 
Invoke-Command $s {get-content ` 'C:Program FilesJeaActivityActivityLog.csv'}
# Enter-pssession $s

Remove-PSSession $s
#EOF
The aforementioned script is displayed in an easy way for readers to understand. When it is used in PowerShell make sure to prevent extra line spaces.

This endpoint configuration allows you to use the following cmdlets:

  • Get-ChildItem
  • Get-Item
  • Copy-Item
  • Move-Item
  • Rename-Item
  • Remove-Item
  • Copy-ItemProperty
  • Clear-ItemProperty
  • Move-ItemProperty
  • New-ItemProperty
  • Remove-ItemProperty
  • Rename-ItemProperty
  • Set-ItemProperty
  • Get-Location
  • Pop-Location
  • Push-Location
  • Set-Location
  • Convert-Path
  • Join-Path
  • Resolve-Path
  • Split-Path
  • Test-Path
  • Get-PSDrive
  • New-PSDrive
  • out-file

This explains how we can use JEA endpoints to limit the use of privileges to specific tasks. These demo scripts can be used to build your own configuration. There are lots of examples can find in GitHub. You can access JEA GitHub page using https://github.com/PowerShell/JEA.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.140.186.201