Share

Tagged: ,

This topic contains 7 replies, has 2 voices, and was last updated by  Babun 2 weeks, 6 days ago.

  • Author
    Posts
  • #240999
     Babun 
    Participant
    • Topics: 3
    • Replies: 4
    Post count: 12
    Member Points: 149

    Hi,

    Been testing JEA a bit and very impressed with the tech, and the introduction on this ms page was pretty good

    https://docs.microsoft.com/en-us/powershell/jea/overview

    also I’ve been browsing here, but it’s not much more extensive

    https://github.com/PowerShell/PowerShell-Docs

    I can’t really find much information about detailed stuff though, I was wondering if someone has better in-depth resources.

    What I’m wondering most about is the implications of different VisibleProvider settings and secondly a more specific issue : if i want to know the connecting user’s profile paths or even the username – how would I do this in a JEA session that’s running under a virtual account in nolanguage mode?

    0
  • #241001
     Babun 
    Participant
    • Topics: 3
    • Replies: 4
    Post count: 12
    Member Points: 149

    Also I would be very curious to know if they’ve planned on porting JEA to core, but I suppose that’s too early to say yet and especially if it’s the same for all platforms or not since core is still in beta afaik.

    0
  • #243718
     Michael Pietroforte 
    Keymaster
    • Topics: 136
    • Replies: 302
    Post count: 913
    Member Points: 5,674

    You are right the documentation about JEA is a bit thin. We posted a little series about JEA, but I guess your questions are not answered there. They appear to be pretty specific to me. The beta 6 of PowerShell Cor mentions fixes about JEA. So it seems Microsoft plans to port JEA to Core.

    0
    • #243766
       Babun 
      Participant
      • Topics: 3
      • Replies: 4
      Post count: 12
      Member Points: 149

      Thanks for the reply, yes I’ve read the series but I think it doesn’t significantly differ from the thin Microsoft documentation out there.

      I think the user profile use case probably hasn’t been thought about, at least I can’t see any variables in the JEA session being populated with information about the connecting user. You could achieve this e.g by passing username as a parameter to a JEA session (with sanity checks?) or then you could match it from the transcripts (by transcript PID and envvar PID e.g) or from windows event logs but these are all kinda sub-optimal.

      Other thing that bugs me a little is that I can’t find that it logs the ip address of the connecting user either in the event logs or in the transcript files.

      It seems to me it’s a good tech, but still a bit rough around the edges, could use documentation and maybe some polishing features. Sounds good that they’ve the idea of bringing it to core though!

      0
  • #245175
     Babun 
    Participant
    • Topics: 3
    • Replies: 4
    Post count: 12
    Member Points: 149

    I can think of use cases where you want the elevated process to handle user e.g created files, and without modifying filesystem rights or providing a shared instead of private folder the only sane place to have the user place them is the profile folder. Also you might want to provide the elevated process with username information in other contexts (say i want to rights (to the filesystem, dcom or anything?) to the connecting user for instance?).

    It’s not as if it’s a new problem per se that administrative processes run in a different user context, just something that I think should be a lot more easily solved in PS remoting as compared to some other remote management solutions and also without compromising security and this would provide the system with a lot more flexibility.

    I guess many things can be logged and anything can be scripted, logging the connecting ip address is just something I’d expect to be built in since it’s kind of basic stuff and all of this is supposed to be about added security.

    0
    • #245188
       Michael Pietroforte 
      Keymaster
      • Topics: 136
      • Replies: 302
      Post count: 913
      Member Points: 5,674

      It is hard to understand what you are trying to accomplish.

      I don’t see a connection between the user profile and the user rights. If you want an admin to make filesystem changes, you make sure that the corresponding cmdlets are in the endpoint and that he has the rights to modify the corresponding folders. After the user logs in via Enter-PSSession he in his user profile folder where he can create private files.

      By default, logon events are logged in the Security event log. You can also see PowerShell remoting logon events there.

      0
  • #245193
     Babun 
    Participant
    • Topics: 3
    • Replies: 4
    Post count: 12
    Member Points: 149

    I don’t really have such a specific problem tbh, but I’m certain there are use cases for extending the user context to the JEA session for many purposes as per the whole JEA philosophy.

    I checked the event logs and yes you can see which users log in, but not from which ip address. The only place where I found this information (and yes I needed to dig a while) was using the get-wsmaninstance cmdlet. It’s not visible in e.g. get-pssession. In my opinion having to dig so deeply for this information is kinda stupid.

    0

You must be logged in to reply to this topic.

CONTACT US

Please ask IT administration questions in the forum. Any other messages are welcome.

Sending
© 4sysops 2006 - 2017

Log in with your credentials

or    

Forgot your details?

Create Account