Background: Medical equipment stand alone computer running windows 10 not connected to the internet. Three users, “Admin”, “Operator” and “Logger”. The “Operator” and “Logger” runs as a standard user. The “Admin” is an Administrator and is used just for equipment maintenance. The “Operator” needs to execute several specific commands that require administrator privileges. From obvious security principles we don’t want to give this user administrative privileges. Looks like the perfect scenario for Just Enough Administration (JAE).
What was done: I did all the instructions in the documentation at: https://docs.microsoft.com/en-us/powershell/jea/overview. and varified the process using several YouTube videos.
When I try to connect to the special configuration session from the “Operator” (standard user included in the security descriptor of the special session), I get a timeout error after about 20 seconds (could not create shell).
Connecting to the same sessions from “Admin” (which is administrator) works as expected and give access only to the limited set of commands. I interpret this as a hint that the configuration is valid.
trying to connect to the session from the “Logger” user (standard user not in the security descriptor of the session) is rejected immediately with no access error. I Interpret this as a hint the problem is not in the security descriptor.
After enabling the diagnostic logs, I can see that the user “Operator” was authorized by the security checks and failed on the creation of the shell.
Any help on how to solve the issue or further research it is greatly appreciated.
Gad J. Meir.