JEA - Securing Endpoints

I want to start with JEA, I just cannot seem to find out how to allow, or disallow users from connecting to the Toolkit.

Then as a side note, when they say that JEA with delete all existing endpoints, will that disable things like PSWA and remoting, or are these not seen as an endpoint.

TIA

JEA won’t delete the default endpoints. JEA uses Remoting, so it’s obviously not going to entirely disable Remoting. PSWA can use whatever endpoint you tell it to, and it defaults to the default endpoint.

Depending on which version of JEA you’re using, you specify an SDDL (Security Descriptor Definition Language) to specify who can connect.

Thank you Don, just a follow up on your reply,

  1. How do I set who can connect,
  2. From PSWA, is the default endpoint the “sys admin”, fill access endpoint?

Thank you

There is no “sys admin” endpoint, no. If you run Get-PSSessionConfiguration on a computer, you should see a session configuration (endpoint) named "Microsoft.PowerShell,’ I think. That’s the default endpoint. If you mean, “is this the default endpoint that’s wide-open that sys admins usually use,” then yes.

“How do I set who can connect” is different in different versions of JEA. For one, you might consider using the JEA Toolkit Helper (https://blogs.technet.microsoft.com/privatecloud/2014/10/24/introducing-the-jea-toolkit-helper/), which GUIs this a bit. This will lt you specify users and groups, and translate them to the necessary SDDL that JEA needs. If you aren’t familiar with SDDL, you should use this.

If you look at https://msdnshared.blob.core.windows.net/media/TNBlogsFS/prod.evol.blogs.technet.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/00/85/24/metablogapi/image_1C8676B7.png, the “SecurityDescriptorSddl” property is how you control who can connect. As you can see, this is a lot more complex than just listing a user name or group name, which is why people like using the GUI helper.

Hi Rhys,

Which version of PowerShell are you using? Don’s suggestions apply to all versions of JEA, but if you’re using the latest version (Windows 10, Windows Server 2016 TP4+, or an older system with Windows Management Framework 5.0 installed), specifying who has access to your JEA endpoint is much easier. We split the configuration into two distinct files: role capabilities (what someone can do if they are assigned this role) and session configurations (who has access to which roles). In the session configuration file, you can simply include your user->role mappings in the RoleDefinitions field:

RoleDefinitions = @{ 'domain\group' = @{ RoleCapabilities = 'Role1', 'Role2' } }

We handle the SDDL string creation from there when you run Register-PSSessionConfiguration. A detailed walkthrough that can help you get started with JEA is available at http://aka.ms/JEA.

Let me know if you have any other questions or need more help with the SDDL/RoleDefinitions field. I’d be happy to assist.

Ryan

Thank you for the feedback, I will play with this all a bit more during the week and come back to you. It is making sense now.

Ryan I am on W2012R2 and WMF5

Hi Rhys,
I’m also getting started with JEA - As Ryan said, the latest incarnation, which you have - is much easier than the prior ones. It’s even easier if you watch Ryan’s Play-by-Play on pluralsight that was released only a week or so ago (If you aren’t pluralsight customer - I’d really recommend signing up for the trial at the very least, just to watch this.)
https://www.pluralsight.com/courses/play-by-play-just-enough-administration
Liam