Just Enough Administration, also known as JEA, is a new feature offered in Windows Server 2016 that I’d like to consider is like a lower level version of the famous Linux sudo and as Microsoft calls the level of “least privilege.”
What is JEA?
Using PowerShell scripts, JEA is a role-based security feature that reduces the level of high-level administrators in your environment by delegating only absolutely relevant tasks to lower-level administrators who need certain privileges to get their job done.
As seen in the example above, imagine you have to fix a poisoned DNS cache. You could log in as administrator via PowerShell to access the DNS permissions–but there’s an inherent risk in being administrator just for that one task of fixing your DNS cache.
After all, the binary nature of administration on Windows Server, has, to date, meant that everything is pretty black and white: either you’re an administrator or you’re not.
There’s no in between.
Kind of a stupid idea up until this point, if you ask me. An administrator can certainly fix the DNS cache he was told to repair, but he could also install malware, key logging software, or wreak havoc on a large network. No one wants to assume the risk of that and those bombarded trusted admins maintaining their Windows Server 2016 infrastructures also probably didn’t like getting a gazillion phone calls about minor changes that someone else should be able to take care of — you know, if they had enough permissions but not too many.
This why Microsoft’s team introduced JEA, which is the low level security feature that gives them “just enough administration” without going overboard and giving them the permissions to ransack the whole thing.
Why not use RBAC?
Yes, you’re probably wondering why they haven’t used role-based access control (RBAC). In case you’re not familiar with RBAC, this also grants restricted access to authorized users. However, RBAC in its current form is limited; while it allows you to delegate access to specific users to perform some admin commands in AD, these tools are specific to the application for which they were written. That means this role-based security cannot be used for DNS, IIS, or Hyper-V — not to mention some applications out in the wild don’t support RBAC at all.
PowerShell remoting with JEA
This is where JEA shines: in the PowerShell department. It’s a generic-role based access control solution pre-installed on Windows Server 2016 that uses PowerShell and adds that expected RBAC functionality to anything that can be managed through PowerShell.
It’s through PowerShell that users can connect to the to the server via a JEA endpoint that was created by a trusted admin — they still will exist and manage the whole process, but they will give you the limited access desired so that you can take care of what you need to take care of and nothing more.
You’ll need to connect with $NonAdminCred which acknowledges that you’re getting some heightened access without the full administrative credentials that go along with it, and you’ll run the script with one-time virtual account access that is locally permissioned to be an administrator on the machine. Using JEA, you get to run commands with elevated permissions without actually signing in for those full permissions as the system behaved previously. You’re getting just enough permissions to get your job done, nothing more.
That’s something I can wrap my head around.
Photo credit: Shutterstock