Just Enough Administration: Delegation Done Right

Just Enough Administration: Delegation Done Right

In nearly all IT organizations, specialized users are granted access to systems to perform tasks pertinent to their job. Most times, the amount of access that this user has to be given will open up many tasks that they are not allowed or qualified to perform. When dealing with systems that are intentionally co-located, like Active Directory and DNS often are, this can open companies up to administrators as an attack surface.

Just Enough Administration (JEA), which is a feature of both the Windows Management Framework and PowerShell, aims to solve these challenges. JEA provides organizations with the ability to develop truly customized role-based access controls (RBAC). A group of tasks can be organized and granted to the appropriate individuals. Their role gives them exactly the tasks that they are allowed to perform and no more. Also, gone are the days of granting users the binary option of administrator access on servers.

JEA works by picking and choosing a group of PowerShell commands that make a role. This group of commands are then defined into the role capabilities section of a file called a PowerShell Session Configuration. These commands can even be granularly controlled. For example, you can make it so that a user can restart the spooler service and only the spooler service. Maybe that same user should be able to run the executable ipconfig.exe as well, but no others. This is all possible with JEA.

Limiting the access for users is undeniably powerful, but mistakes may still happen, even within the tasks specifically defined for users. JEA provides administrators with an over the shoulder view of what commands have taken place and by which user. This information is stored in a transcript file. These are files are able to be recalled at a later point by administrators to pin-point the exact command that caused the issue. Then they can further limit actions or just educate the users on the appropriate sequence of commands.

JEA will also be available on Windows Server 2012 R2 by installing the Windows Management Framework 5.0. This brings some one of the great features of Windows Server 2016 down to existing deployments and makes the barrier to entry very low.

Go out today and download the Windows Management Framework 5.0 and give it a try.

Want some help with diving into the 1520 out-of-the-box cmdlets that comes with Windows Server 2016? We can help your organization to start to develop custom roles in JEA. A call to us is your first step towards a more secure organization.

Windows Server 2016 Blog Series

Innovative Integration has been creating a whole series about Windows Server 2016 leading up to the September launch. To read other articles from this series, click here.

About Jeff Peters

Expert in many aspects of the Microsoft Product Line, including SharePoint, Active Directory, Server, Exchange and Office 365, SQL, Clustering, Operations Manager, Lync/Skype for Business, and Configuration Manager. Currently holds MCSE (since 2005) and MCITP. Experience with designing and implementing Windows server environments, corporate e-mail, and directory services. Experience with Operations Management and Configuration Management software. Exceptional expertise with portal design, custom development, CRM, XML datatypes, and Forms Services.

Leave a Reply

Innovative Integration can help you optimize your IT infrastructure. Request a Consultation