Do you follow the security practice of operating as a standard user and elevating privileges only when necessary? Didn't think so. Learn how System Frontier from Noxigen makes it easier to delegate administration with PowerShell through a web interface.
Profile gravatar of Timothy Warner

Timothy Warner

Timothy Warner is a Microsoft Cloud and Datacenter Management Most Valuable Professional (MVP) who is based in Nashville, TN. Check out his Azure and Windows Server video training at Pluralsight, and feel free to reach out to Tim via Twitter.
Profile gravatar of Timothy Warner

Here's the situation: you've developed a number of PowerShell scripts that automate many common customer support tasks. At the moment, the help desk calls you every time they need one of those scripts run. You're getting very tired of this, but aren't willing to make help desk personnel domain administrators. What to do?

Of course I'm teeing you up for a solution: in this case, Noxigen's System Frontier privilege management solution.

As I see it, here are System Frontier's chief selling points:

  • "Cloud cadence" updates with the security benefits of in-house software
  • Less expensive than alternative solutions such as Avecto Defendpoint
  • Less complex to use than, say, Windows PowerShell Just Enough Administration (JEA)

How System Frontier works ^

Jay Adams, the developer of System Frontier, made a nice Visio drawing that explains System Frontier's high-level architecture. As is my practice, I've annotated the drawing and will explain each component to you.

System Frontier high level architecture

System Frontier high level architecture

  • A: You define users (help desk technicians, junior admins, and so forth) in the System Frontier directory and assign them a particular security role. The security role scopes which administrative actions they can undertake in SF.
  • B: System Frontier is a traditional three-tier ASP.NET web application; the delegated admins log into System Frontier to use their assigned tools.
  • C: The management server stores the administrative credentials that proxy the delegated admins' tool use. You also define the specific "tools" here as well.
  • D: Ultimately, the delegated admin performs administrative tasks on managed servers without knowing any administrative credentials – "it just works," and all actions are audited.

Installation and configuration notes ^

Noxigen makes System Frontier available as a free 30-day trial. The product explicitly supports Windows Server 2008 R2 SP1 and Windows Server 2012 R2 as the management server, but I had no trouble installing on a Windows Server 2016 member server.

Note that you'll need to have a SQL Server instance available on your network, as well as a member server set up with the Web Server role. The installation consists of three separate executables:

  • Database: Creates the System Frontier configuration and auditing database on your SQL Server
  • Management Service: Deploys the System Frontier service; this is the "heart" of the solution
  • Web Application: Installs the System Frontier ASP.NET web application

Next, fire up http://localhost:8080 and log into System Frontier using your current administrative credentials. That account, by the way, becomes the default "superuser" in the System Frontier system. Don't worry – System Frontier is a role-based access control (RBAC) solution, and you'll define your administrators and users in another step.

The following image shows an annotated version of the System Frontier web console:

The System Frontier web administration console

The System Frontier web administration console

  • A: Add your physical and/or virtual managed servers and workstations
  • B: Define administrative tasks that will run with delegated permissions
  • C: View auditing and compliance reports
  • D: Define users, roles, credentials, and Active Directory domain configuration
  • E: Lock the console
  • F: Perform a global search for any SF asset

Deploying a PowerShell script securely ^

The first thing you'll need to do is establish a secure connection to Active Directory. Accomplish this by navigating to Settings > Domain Configuration in the web console and supplying an LDAP connection string.

Next, you'll want to have a look at the built-in roles and permissions to see if you need to make any changes. As you can see in the following screenshot, System Frontier includes many built-in roles that are scoped to common administrative tasks.

System Frontier uses the RBAC security model

System Frontier uses the RBAC security model

You can create new roles or modify existing ones; clicking a role shows you the specific actions allowed by the role. For example, take a look at the following screenshot, which shows the permissions list for the built-in Help Desk role. Pay particular attention to the RunCustomTool permissions.

RBAC involves granular access permissions

RBAC involves granular access permissions

The RunCustomTool permission is required in order for our delegated admins to run PowerShell scripts. In my lab environment, I added an Active Directory user named Pat (accomplished by navigating to Settings > Users in the web console) and assigned the user to the Help Desk role.

I have a "toy" PowerShell script that will give us the flavor of how System Frontier "least privilege" access works. Consider the following code:

Navigate to Tools > Create Tool to create an entry for your PowerShell script. Creating a tool involves the following items:

  • Name
  • Description
  • Category (Misc or Troubleshooting are the "out of box" choices)
  • Executable This is a bit confusing because a PowerShell script isn't an executable, but this is where you browse to locate your .ps1 file

You are then brought to the Custom Tool (Edit) screen, shown in the following screenshot, where you can inject function arguments.

Adding arguments to our stored script file

Adding arguments to our stored script file

As you can see, there are several common variables that can fetch WMI data for you to help with your function. In my example, I took advantage of System Frontier's {$TargetHostname} automatic variable, and also provided a static text value.

The final step is to associate the custom tool with one or more roles. After I added the tool to the Help Desk group, I was ready to test!

Testing delegated administration ^

When Pat logs into the System Frontier console, he sees only a subset of the options available to a full administrator. Pat navigates to the server on which he needs to run the script, and clicks the Tools tab as shown in the following screenshot:

The user sees only those tools to which he or she has access

The user sees only those tools to which he or she has access

As you can see, Pat can run administrative tasks within a "security bubble" in which administrative credentials are never known to the end user.

An administrator can navigate to Reports > Compliance to generate reports showing which users have which permissions, or to Reports > Audit History for insight as to all actions taken within the System Frontier system.

Wrap-up ^

System Frontier Starter Edition is free, but is limited to 3 delegated users, 5 custom tools, and 5 nodes. The Pro Edition ($24 yearly per node) gives higher limits and priority email support. The Enterprise Edition ($36 yearly per node) has unlimited resource limits and priority email and phone support.

The IT security principle of least privilege is immensely important, and I'm grateful for tools like System Frontier that make privileged account management easier to implement.

Take part in our competition and win $100!

Share
7+

Users who have LIKED this post:

  • avatar
  • avatar

Related Posts

1 Comment
  1. avatar
    Neill Tinlin 3 months ago

    Nice review.

    I believe I was Jay's first customer with earliest versions of System Frontier at a previous organisation. While I don't use the product where I am now, unfortunately, I found Jay to be excellent in supporting the product and constantly updating it to take on board the comments from myself and other users.

    If memory serves I mentioned a very minor issue to him at 17:00 UK time one evening and he had a new build ready for me when I came in at 09:00 the next day.

    The tool saved a lot of out-of-hours call-outs because we could delegate permissions to start/restart services on some rather ropey old apps to a 3rd party monitoring service.
    We couldn't find anything else to do the job at the time and I don't think there are still many easy/cheap alternatives currently.

     

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

CONTACT US

Please ask IT administration questions in the forum. Any other messages are welcome.

Sending
© 4sysops 2006 - 2017

Log in with your credentials

or    

Forgot your details?

Create Account