![\"\"](\"http:\/\/brgeek.com.br\/wordpress\/wp-content\/uploads\/2021\/03\/1.png\")
<\/a><\/p>\n1) Enable Turn on Module Logging and select all modules by clicking on Show\u2026 and typing \\*<\/p>\n
2) Enable Turn on PowerShell Script Block Logging (you can also select Log script block invocation start\/stop events checkbox)<\/p>\n There\u2019s also one more setting that can be enabled \u2013 Turn on PowerShell Transcription \u2013 this setting when enabled will log all PS-based commands into the specified directory (please note that we can define a separate transcript folder for each endpoint \u2013 I\u2019ll show it a bit later).<\/p>\n In case this policy setting is enabled the complete list of the PowerShell GPO settings will look as follows:<\/p>\n Once the GPO is created, we can proceed to the first step in deploying JEA:<\/p>\n Step 1: Creating a new PowerShell module<\/p>\n (All the steps will be performed on my domain controller \u2013 DC. This is the server TO WHICH a user named User1 will be given access).<\/p>\n All JEA functionality \u201ccontains\u201d in the user-defined PowerShell modules and I prefer creating the new modules beforehand so I can place all needed files in the new module\u2019s folder later on. By default PS looks for its modules in C:\\Program Files\\WindowsPowerShell\\Modules folder so to create a new module I\u2019ll do the following:<\/p>\n a)Create a folder for the module: c)Create a new manifest file (.psm1 file) You will have now inside the folder you create 2 files named<\/p>\n Step 2: Creating role capabilities file (.psrc file) a)I create RoleCapabilitiesfolder in the Mymodule folder Now I can edit the MyModule.psrc with Notepad to permit only a few cmdlets\/external commands:<\/p>\n Step 3: Creating session configuration file (.pssc file) New-PSSessionConfigurationFile -SessionType RestrictedRemoteServer -Path .\\ MyModuleConfiguration.pssc<\/strong><\/p>\n Sessions configured with -SessionType RestrictedRemoteServer field will operate in the Restricted Language mode which allows by default only the following commands:<\/p>\n Like .psd1<\/strong> and .psm1 files, the .pssc<\/strong> files can be edited in Notepad \u2013 I\u2019ll configure the following sections:<\/p>\n TranscriptDirectory \u2013 this line enables logging of the commands run in the session (this is the endpoint-specific transcript directory as opposed to the default transcript directory defined in the PS GPO above) .<\/p>\n RunAsVirtualAccount \u2013 if set to true runs the session under virtual administrative account (member of either local Administrator\u2018s group).<\/p>\n Other options:<\/p>\n 1) if you don\u2019t want to run the new session under administrative account you can specify any group\/groups of which this virtual account should be the member of:<\/p>\n RunAsVirtualAccount = $true 2) for accessing network resourses from the new session you can use group managed service account: RoleDefinitions \u2013 defines who (in my test \u2013 Outfield\\Jeaoutfield) will have access to which endpoint (the name of the endpoint is the RoleCapabilities file name without extension).<\/p>\n SessionType is already set to RestrictedRemoteServer<\/p>\n Description \u2013 the optional field.<\/p>\n Before we proceed to registering JEA endpoint it would be pertinent to test the session configuration file using the Test-PSSessionConfigurationFile cmdlet:<\/p>\n Test-PSSessionConfigurationFile -Path \u201cMyModuleConfiguration.pssc\u201d (in my test below I called this file PsSessionConfiguration.pssc)<\/strong><\/p>\n Should this test reveal any errors you can edit the file once again in Notepad.<\/p>\n True means the file has the correct syntax.<\/p>\n The LAST STEP: Registering the ENDPOINT<\/p>\n The following command will register the new endpoint on the system:<\/p>\n Register-PSSessionConfiguration -Path MyModuleConfiguration.pssc -Name \u2018Endpoint1\u2019 -Force<\/strong><\/p>\n You can see the newly created endpoint by issuing this command:<\/p>\n Get-PSSessionConfiguration | Select-Object Name |fl<\/strong> (in my test I called the endpoint as below)<\/p>\n Now it\u2019s time to test the new endpoint: first of all, I\u2019d like to make sure the endpoint works as expected by connecting to the local host using Jeaoutfield domain credentials.<\/p>\n I) Connecting to the local host Enter-PSSession -ComputerName localhost -ConfigurationName Endpoint1 -Credential $UserCred<\/strong> (in my test I called the endpoint as below)<\/p>\n From now on, all cmdlets will be run under virtual administrative account.<\/p>\n Get-Process (It should succeed as it\u2019s defined in the RoleCapabilities file)<\/p>\n Get-Service (It should succeed as it\u2019s defined in the RoleCapabilities file)<\/p>\n Get-Childitem and Get-Date should NOT succeed because they are not listed in the RoleCapabilities file.<\/p>\n Get-Command will succeed as it\u2019s one of the base cmdlets allowed in the restricted language mode and it also shows all permitted commands on the session:<\/p>\n Issuing the Exit-PSSession command will end the remote session and its mandatory: the DC prefix will change to the previous PATH.<\/p>\n As you\u2019ve already seen, the EndpointOUTFIELD sessions have their transcript directory set to C:\\Scripts\\JEA\\Transcripts \u2013 let\u2019s parse the transcript of the session above (please note that logging occurs on the server where the user-defined PS module is installed):<\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n
\nb)Create a new empty module (at least one file in the module folder must have the same name as the folder \u2013 in this case Mymodule) \u2013 in fact the module is just a .psm1file:
\nNew-Item -ItemType File -Path .\\Mymodule.psm1<\/strong><\/p>\n
\nNew-ModuleManifest -Path .\\Mymodule.psd1 -RootModule \u201cMymodule.psm1\u201d<\/strong><\/p>\n\n
\nAt least one .psrc file called role capabilities file must be created which defines what user or administrator can do in a JEA session. This file contains all cmdlets and external programs (it can contain providers and functions as well) which will be permitted to use in the JEA session. For this test I\u2019ll create the file which permits a user only to see the list of running process by means of Get-Process cmdlet, the list of services by means of Get-Service cmdlet. The .psrc file must be placed in the RoleCapabilities subfolder of the module\u2019s folder:<\/p>\n
\nb)and the role capabilities file in it
\nNew-PSRoleCapabilityFile -Path .\\RoleCapabilities\\MyModule.psrc<\/strong><\/p>\n<\/a><\/p>\n
\nTo define who will have access to the new endpoint and under which account the new ps session will run, the session configuration file must be created (I\u2019ll create it in the module\u2019s folder):<\/p>\n\n
\nRunAsVirtualAccountGroups = \u2018Network Configuration Operators\u2019<\/p>\n
\nGroupManagedServiceAccount = \u2018YOURDOMAIN\\serviceaccount\u2019<\/p>\n<\/a><\/p>\n<\/a><\/p>\n
\n$UserCred = Get-Credential<\/strong><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n