Mark Minasi's Tech Forum
Sign up Calendar Latest Topics
 
 
 


Reply
  Author   Comment  
jadgate

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 32
Reply with quote  #1 

Mark has been talking it up since they released it in early 2014.  For the uninitiated, it's a way to lock down PoSH environments with fairly granular access controls (or so I've been told).

Would be curious to see if anyone has implemented with success (or failure) in their environment(s) and if they'd be willing to share some observations.   I've seen enough security presentations at DEFCON over the last 2 years on PoSH exploit kits that I think it's going to become a major exploit vector.    Unfortunately, I've been away from the keyboard tech stuff for several years now so I don't get to play with the new stuff as much as I used to..

Jim 


__________________
Jim Adgate
IT Security guy concerned about vendor IT security risk management and other such stuff.....
0
JeffHicks

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 35
Reply with quote  #2 
The Jit/Jea approach is just a better way to setup and maintain constrained endpoints. We've been able to achieve the same results in PowerShell with regard to remoting for years, but it was complex. The Jea toolkit will make it easier to deploy these kind of custom endpoints. But it will require a paradigm shift that I doubt many organizations will be ready for anytime soon. 

From a security standpoint, a better new feature in v5 is better and more thorough logging capabilities.

__________________
Jeff Hicks Author ~ Trainer ~ Guru
Cloud and Datacenter Management MVP



0
Mark Minasi

Avatar / Picture

Humble Proprietor
Registered:
Posts: 175
Reply with quote  #3 
A seriously interesting toolkit that is more and "baked in the box" as time goes on.  Definitely worth following.
0
gpoguy

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 50
Reply with quote  #4 
The concepts of JEA are good, and frankly, are really no different than proxy-based least-privileged solutions that have been available for Linux/Unix for years (e.g. PowerBroker). I think the piece that's still lacking, even with the v5 improvements, is the tooling to set it up. It still requires a fair bit of "long-haired activity" to configure and deploy across an environment. As Jeff says, many organizations may not think it worth the effort or will look to 3rd party products to do what amounts to least privilege delegation.
Darren

__________________
Darren Mar-Elia
MS-Group Policy MVP
Founder--SDM Software (https://sdmsoftware.com)
Need Group Policy Training? Check out my Group Policy Fundamentals course: http://pluralsight.com/courses/group-policy-fundamentals
0
Mark

Hacked Mark's Facebook Account
Registered:
Posts: 273
Reply with quote  #5 
While I can't disagree, Darren, I think the bigger blocker is the lack of GUI. Need that to deploy to junior admins. (And yes, I know, it's possible but requires a lot of new-object [System]::[YoMomma]coding.
__________________
May I ask that everyone please populate the first name and last name in your user account profile.  Thanks!
0
noxigen

Still Checking the Forum Out
Registered:
Posts: 2
Reply with quote  #6 
For situations where you need to put a PowerShell script or any other command-line executable safely in the hands of a junior admin or help desk person, without a ton of setup and configuration, take a look at System Frontier. It's super easy to configure and has a very flexible RBAC model with granular permissions.

If you still have to support legacy operating systems, it all works the same - even back to Server 2003 / XP.

__________________
Jay Adams
System Frontier
 - RBAC for systems management and automation.
0
jsclmedave

Administrator
Registered:
Posts: 499
Reply with quote  #7 
HA!   "long-haired activity"   3rd party products are great as long as EVERYONE uses the 3rd party product...  Going outside of many (like Dells AD Tool) will have the same results,,, not knowing who did what when and where...

Spend the time to do it right and THEN if needed look outside for more granular control if deemed needed...

__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
noxigen

Still Checking the Forum Out
Registered:
Posts: 2
Reply with quote  #8 
Well, that's the key whether using native tools, in-house tools or 3rd party products: standardization. Organizations have to identify processes and roles and put controls in place to ensure people can't circumvent the process.

Removing or limiting admin rights is always a culture change when the culture was never defined that way in the first place. You're right in that tools can't fix that.

__________________
Jay Adams
System Frontier
 - RBAC for systems management and automation.
0
jsclmedave

Administrator
Registered:
Posts: 499
Reply with quote  #9 
I am working on implementing it now.  I am hoping that I can lead by example.  I am also getting the logging set up as well.
__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.