What is JEA (Just Enough Administration)?
The acronym JEA stands for Just Enough Administration. It is a security feature of Microsoft Windows for role-based administration and assignment of rights of the functions and elements usable by PowerShell. The rights can be fine-tuned regardless of whether a user belongs to a particular user group. Restriction to individual cmdlets or parameters is possible.
The JEA module is part of the Windows PowerShell DSC Resource Kit and is available from PowerShell version 5.0. Just Enough Administration can be used from the operating system versions Windows Server 2016 and Windows 10. Older Windows Server or client systems are also partially supported.
Motivation for Just Enough Administration
The motivation for Just Enough Administration is that administrative user accounts used to manage servers or computers pose a security risk under certain circumstances. If an attacker obtains the credentials for an administrative account, they can attack other user accounts or entire server environments. Administrative accounts often contain a large number of rights that span entire domains.
The problem arises that rights for certain administrative activities cannot be assigned individually, but only in a block with other rights. If only a few different roles are available as administrator or user, users often receive more rights than are actually necessary to perform their activities.
Just Enough Administration solves this problem by assigning users specific rights to specific PowerShell functions on a role-by-role basis, without requiring them to be members of a specific user account group. The rights are valid during a PowerShell session and allow specific PowerShell commands to be executed.
JEA can be configured to allow even non-administrators to execute commands that require administrator privileges. On the other hand, it is possible to grant minimal rights for certain tasks to users with administrator rights. In this way, it is possible to control exactly which actions can be performed on a computer by a user.
The functional concept of Just Enough Administration
Just Enough Administration allows role-based assignment of rights for all system functions that can be managed via PowerShell. Depending on the user, certain cmdlets, parameters, or objects may be used. Just Enough Administration requires the setup of two components, JEA Toolkit Configuration and JEA Endpoint Configuration. JEA Toolkit Configuration allows you to create specific sets of tasks, commands, and functions for specific users. Users connect to PowerShell through a JEA Endpoint.
One or more JEA toolkits are assigned to the endpoint via the JEA Endpoint Configuration. When a user is connected to PowerShell via Endpoint, they are given access to the familiar PowerShell environment. However, in the background of the session, Just Enough Administration controls which functions and commands may be used. In addition to controlling permissions to PowerShell functions, other security measures are implemented in Just Enough Administration. Among other things, JEA takes care of logging all JEA PowerShell sessions.
The capabilities and benefits of Just Enough Administration
Just Enough Administration provides the following capabilities and benefits:
- Fine-grained assignment of rights for system administration.
- Independence of rights assignment from a user’s membership in a particular group
- Restriction of rights to individual cmdlets or parameters
- Central administration of rights
- Reduction of users with administrator rights
- Logging of all actions of a user during a PowerShell session