Great if you are playing a game of cards, particularly a high stakes poker game, not so great if you are trying to secure your corporate resources. “Man up, and defend yourselves!” said Ex NSA Director Michael Hayden. Difficult, when all our Administrators have a handful of ACEs!
Quick revision time: An Access Control Entry (ACE) is found in an Access Control List (ACL). Typically IT Pros refer to ACEs and ACLs, pluralising the acronyms rather than the words. The ACEs in an ACL determine what access rights a trustee has to a securable object. There are two types of ACLs: Discretionary Access Control List (DACLs) that contain Access-denied ACE and Access-allowed ACE, and System Access Control List (SACLs) that contain System-audit ACE. So DACLs grant or stop resource use, SACLs track who or what succeeded or failed that usage.
So how do we regulate what ACEs our Administrators hold? After all, they’re Admins; and by definition we totally trust our Admins, we have to! “Pardon Mr Snowden, you’re leaving?? But …” We do not, we can not trust our Administrators to hold all the top cards any longer. It’s not a personal issue, a lot of administration is automated; click a button on a web page and you can provision an entire Active Directory (AD) environment in Azure in a matter of minutes, literally. Organisations, corporations, governments, the local optometrist, all need a method of abstracting the necessary permissions – the ACEs – from the physical persona of the Administrator. For both the sake of the Admin, and his area of responsibility, let’s find a method of taking all the picture cards (including ACEs) away from Admins and only giving them Just Enough Administration rights to carry out their assigned tasks.
Without any more fanfare, let’s introduce JEA. Just Enough Administration (JEA) is a recent release of a Windows PowerShell Desired State Configuration (DSC) resource and configuration script that constrains administrative rights and permissions on both local and remote servers. In essence, any commands an Admin wishes to run on a server will run in a local administrative context, restricted to a subset of commands, and only for that session. Brilliant! I can now, through the use of the JEA Toolkit, chose what modules, what cmdlets, and even what parameters can be used for each Administrator, for each session, for each server! And, most importantly, through the SACLs, audit success and failures for every resource. As you can see, in the screenshots below, I can choose the modules, the security group, and then read the script to ensure I get the correct configuration.
This is just scratching the surface of what is available in JEA. For how to configure, manage, and create the JEA Endpoints used in constrained delegation, follow the links to download, read, and implement what will become the standard for administering your servers in the future.