Problem scenario
You want to empower non-administrator users to perform a subset of Windows administrator-level functions. Specifically you want to give a user with limited privileges the ability to check the local software firewall rules. This user needs to validate if they are configured appropriately. This user account will otherwise have limited privileges. You want to adhere to the recommended practice of least privileges. You want to use JEA (Just Enough Administration) to enhance the user's privileges. What do you do to give a limited scope of privileges to a user without elevating them to Windows server administrators?
Solution
Prerequisuites
This assumes you have a local user with limited privileges including the ability to log in remotely. If you do not know how to create a local user with limited privileges see this posting. If you do not know how to give the user access to log in remotely see this posting.
Procedures
Steps 1 through 3 are optional. Doing them will help you see what JEA does.
1. Start a PowerShell session with this user (e.g., from another server on the same workgroup or domain). It could be from the same server when you are logged in as an administrator. Run a command like this, but replace "coolhn" with the server name and replace "jane" with the local username:$pss = New-PSSession -ConfigurationName Microsoft.PowerShell -ConnectionUri http://coolhn:5985/wsman -Credential jane
2. Run this command: Enter-PSsession $pss
3. Try out some commands to prove the limited access: show-netfirewallrule
# You should see access is denied. If you do not, the user is not limited. You may not need JEA for this user.
4. Now set up JEA. Open a PowerShell Window as an Administrator. Run these commands (remember you can replace "sample" with a word of your choice as long as you are consistent):
cd c:\
mkdir tempb
mkdir .\tempb\transcript
cd tempb
New-PSRoleCapabilityFile -Path c:\tempb\sample.psrc
5. Modify the file above (c:\tempb\sample.psrc) in the following way. Underneath the stanza with "# VisibleCmdlets"
place this single line:VisibleCmdlets = 'Show-NetFirewallRule', 'Get-EventLog', 'Write-EventLog'
# Save the this file with a new name. Back up the original to a different name too.
6. Change the modified version with back to the original name; in this case the file would be called sample.psrc. We suggest using a PowerShell command if Notepad and Windows inadvertently associated the new file with a .txt extension. Here is an example:mv samplenew.psrc.txt sample.psrc
7. Run this command: New-PSSessionConfigurationFile -Path c:\tempb\sample.pssc -Full
8.a. Open c:\tempb\sample.pssc (the file created above). Make the following changes:
8.b. Insert this stanza underneath the commented out "# TranscriptDirectory" line:
TranscriptDirectory = 'C:\tempb\transcript\'
8.c.* Insert a line like this underneath the commented out "# RoleDefinitions " line:RoleDefinitions = @{'coolhn\jane' = @{ VisibleCmdlets = 'Show-NetFirewallRule', 'Get-EventLog', 'Write-EventLog' }}
# Do not include this comment about the line above. Do change "coolhn" to the hostname of your server. Change "jane" to the desired username.
8.d. Uncomment the phrase "RunAsVirtualAccount = $true" by removing the "#". Remove the leading space before the letter "R".
8.e. The stanza "SessionType = " should be changed. Set it to "RestrictedRemoteServer". It should look like this:SessionType = 'RestrictedRemoteServer'
8.f. Save it as a new name. Back up the original file to a different name so the file with the original name is no longer in the directory.
8.g. Change the modified version of the file back to the original name now that no file with that name is in the directory; in this case the file would be called sample.pssc. We suggest using a PowerShell command if Notepad and Windows inadvertently associated the new file with a .txt extension. Here is an example:mv samplenew.pssc.txt sample.pssc
8.h. Run this command:Register-PSSessionConfiguration -Name sample -Path 'C:\tempb\sample.pssc'
8.i. Run this command: Restart-Service WinRM
8.j. Run this command but replace "coolhn" with the hostname of your server and "jane" with the username with limited privileges:
Enter-PSSession -ComputerName coolhn -ConfigurationName sample -Credential jane
# Enter the password to the "jane" user.
8.k. Ignore the error pop-up about "Failed to refresh. 'The term 'Get-Module' is not recognized..." Just click "OK".
8.l. Use this command as a test (to compare it to step #3): show-netfirewallrule
You are done.