Introducing the updated JEA Helper Tool

Hello Readers!

Just Enough Administration (JEA) is one of the very exciting security features coming with Windows Management Framework (WMF) 5.0, and that you can also find in Windows Server 2016 Technical Preview 4 (TP4).

For those of you not familiar with JEA’s features and benefits, you can have a look at the experience guide available here.

With earlier previews, we had made available the JEA Toolkit Helper, as a way to help start the experience of creating and testing the JEA “toolkits” – which defined what users can do in JEA sessions.

Today, we’re publishing a newer version of this tool, now called the “JEA Helper Tool 2.0”. The new name reflects the fact that JEA no longer deals with “toolkits”, but with “role capabilities” and “session configurations”, which are now built on top of the underlying PowerShell infrastructure.  The updated version number reflects how JEA has evolved in recent previews. In other words, you should not try to use the previous “JEA Toolkit Helper 1.0” with a recent version of JEA, as it does not understand the news concepts recently introduced.

image

To be fair, starting with JEA today and working with its new concepts should be easier now, and many of you may not even need to use the tool to get started – and that’s a good thing! That being said, there are still a few situations where the tool can help people new to JEA start their journey:

  • Discovering cmdlets and modules, to build a role capability through a graphical user interface. Role capabilities syntax tend to become more complex as you add parameters and validations for those parameters. The tool gives you a syntax to use – that you can copy/paste into your own role capabilities, or just leverage as a learning point
  • Getting visibility into how role capabilities map to sessions configurations on the design machine
  • Helping generate the “Security Descriptor Definition Language” (SDDL) syntax when you want to use Two-Factor Authentication
  • Understanding the different cmdlets offered in WMF to work with JEA (create role capabilities, register configuration sessions, etc) – the tool is written in PowerShell, so you can look at the script underneath, to understand how it creates, maps, tests, registers, unregisters sessions on the local machine

The tool also implements several best practices from the experience guide, as detailed in the last part of this blog post

We hope you find this tool useful, and look forward to the feedback. Happy holidays!


Download Location and Requirements

You can get the tool from this location

BC-DLButtonDark

Per the experience guide, JEA requires either:

  • an instance of Windows Server 2016 TP4 instance running
  • an instance of Windows Server 2012 or 2012 R2 with WMF 5.0 RTM

Features

The JEA Helper Tool 2.0 includes the following features:

List, edit and create for role capabilities on the local machine

This tab provides a simple and basic way to display/edit an existing Role Capability, or create/edit a new one. This provides access to other sections of a Role Capability (not just “VisibleCmdlets” and “VisibleFunctions”).

image

Design the “VisibleCmdlets” and “VisibleFunctions” sections

This includes graphically picking the cmdlets and modules, generating the list from the current PowerShell audit log, and/or adding Service Management Automation (SMA) Runbooks (this last piece of optional, and requires a SMA endpoint to be configured the scripts parameters)

image

image

You can then copy/paste in your own Role Capabilities (when editing them in the first tab for example)

Visualize, register, unregister mapping of Role Capabilities to Session Configurations

image

Features like “Resultant Set” are also available for a specific selected row (remember that the tool also uses the script window to display status and outputs)

image

You can also test the Session Configuration for a specific user (you will be prompted for credentials)

image

image

The tool will warn you if it cannot execute one of these tasks, for example if you’re trying to test a Session Configuration invoking Active Directory cmdlets and the Active Directory PowerShell module is not present locally.

As you can see in the bottom part of the screenshot, it is also possible to create new session configurations manually, or copying from an existing one

SDDL output generation

This tab helps to generate the “Security Descriptor Definition Language” (SDDL) format you can use to secure the JEA sessions. In particular, this may be interesting when you want to leverage two-factor authentication, which requires a custom SDDL.

clip_image001


Best practices included in the tool

The tool tries to help with a few pitfalls and best practices from the experience guide, including:

  • Syntax for parameters, ValidateSet and ValidatePattern in Role Capabilities (output window in the second tab)
  • Grouping rows together for a single cmdlet
  • Removing ValidateSet if ValidatePattern is also used
  • Assigning commands to the appropriate “VisibleCmdlets” or “VisibleFunctions” section, depending on their command type. It also warns when it cannot determine the actual command type (if you are adding commands from a module not present locally, for example)