Website under construction

Download 13,37 Mb.

Pdf ko'rish

bet	104/131
Sana	27.03.2022
Hajmi	13,37 Mb.
	#512480

1 ... 100 101 102 103 104 105 106 107 ... 131

Bog'liq
9780735697744 Introducing Windows Server 2016 pdf

More info For more information about PAM, go to
https://technet.microsoft.com/library/
dn903243.aspx
.
Now, let’s take a quick look at JEA. This is part of the Windows Management Framework 5.0 package
and has been supported since Windows Server 2008 R2. Using JEA, you can assign specific privileges
(just enough of them) to a user account that are needed to perform a given required function. This
means that you don’t need to assign a user to an administrator account and then remember to
remove that person later. JEA gives us the role-based access control (RBAC) that modern enterprises
require to achieve more secure environments.
To implement JEA on a system, you first need a Windows PowerShell Session Configuration file. Use
the New-PSSessionConfigurationFile cmdlet to create the .pssc file you need to control access by
running the following syntax:
New-PSSessionConfigurationFile -Path "$env:Programdata\\.pssc"
The following is a sample of the default configuration file this command generates:
@{
# Version number of the schema used "for this document
SchemaVersion = '2.0.0.0'
# ID used to uniquely identify this document
GUID = '1da190ce-fc94-4f8b-98e0-7d70fd9154b1'
# Author of this document
Author = 'john'
# Description of the functionality provided by these settings
# Description = ''
# Session type defaults to apply for this session configuration. Can be 'RestrictedRemoteServer'
(recommended), 'Empty', or 'Default'
SessionType = 'Default'
# Directory to place session transcripts for this session configuration
# TranscriptDirectory = 'C:\Transcripts\'
# Whether to run this session configuration as the machine's (virtual) administrator account
# RunAsVirtualAccount = $true
# Groups associated with machine's (virtual) administrator account
# RunAsVirtualAccountGroups = 'Remote Desktop Users', 'Remote Management Users'
# Scripts to run when applied to a session
# ScriptsToProcess = 'C:\ConfigData\InitScript1.ps1', 'C:\ConfigData\InitScript2.ps1'
# User roles (security groups), and the role capabilities that should be applied to them when applied to a
session
# RoleDefinitions = @{ 'CONTOSO\SqlAdmins' = @{ RoleCapabilities = 'SqlAdministration' };
'CONTOSO\ServerMonitors' = @{ VisibleCmdlets = 'Get-Process' } }
}

118
CHAPTER 4 | Security and identity
The core areas of interest to change are the
SessionType
, which is set to
Default
. For JEA to
work, you need to configure this as
RestrictedRemoteServer
. Next, you need to uncomment
# RunAsVirtualAccount = $True
, which ensures that the session will have “virtual” administrator
privileges. Finally, you need to modify the
Roledefintions
section and uncomment it to reflect your
environment.
After you generate and set up the configuration file, you need to register it by using the Register-
PSSessionConfiguration cmdlet.
Register-PSSessionConfiguration -Name -Path "$env:Programdata\\.pssc"
You can test this by connecting to the machine as you would a normal Windows PowerShell remote
session.
Enter-PSSession -ComputerName -ConfigurationName -Credential $cred
You can create another file called a Role Capability file with the extension .psrc. You can use this file to
define what commands and applications are visible to the specific roles you define. You use the New-
PSRoleCapabilityFile cmdlet to create a blank template.
This file contains sections in which you can define which modules to import and which functions and
cmdlets are exposed.
# ModulesToImport = 'MyCustomModule',
@{ ModuleName = 'MyCustomModule2'; ModuleVersion = '1.0.0.0';
GUID = '4d30d5f0-cb16-4898-812d-f20a6c596bdf'
}
# VisibleFunctions = 'Invoke-Function1',
@{ Name = 'Invoke-Function2';
Parameters = @{ Name = 'Parameter1';
ValidateSet = 'Item1', 'Item2' },
@{ Name = 'Parameter2'; ValidatePattern = 'L*' } }
# VisibleCmdlets = 'Invoke-Cmdlet1',
@{ Name = 'Invoke-Cmdlet2'; Parameters = @{ Name = 'Parameter1'; ValidateSet = 'Item1', 'Item2' },
@{ Name = 'Parameter2'; ValidatePattern = 'L*' } }

Download 13,37 Mb.

Do'stlaringiz bilan baham:

1 ... 100 101 102 103 104 105 106 107 ... 131