Last active
December 3, 2020 16:56
-
-
Save raandree/ca7dc4dfafbbc8f36b1b700310bc1b5e to your computer and use it in GitHub Desktop.
JEA: Register a new restricted endpoint with one JEA role. The endpoint runs with a virtual account. The assigned groups and users are local ones. No domain membership is required.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Get-Test | |
{ | |
Get-Date | |
} | |
function New-TestRole | |
{ | |
New-PSRoleCapabilityFile -Path c:\TestRole.psrc ` | |
-ModulesToImport Microsoft.PowerShell.Management ` | |
-VisibleProviders FileSystem ` | |
-VisibleCmdlets Get-Command, Get-Help, Get-FormatData ` | |
-FunctionDefinitions ` | |
@{ Name = 'Get-Test'; ScriptBlock = (Get-Command Get-Test).ScriptBlock } | |
# Create the RoleCapabilities folder and move in the PSRC file | |
$rcFolder = "$($env:ProgramFiles)\WindowsPowerShell\Modules\$moduleName\RoleCapabilities" | |
if (-not (Test-Path -Path $rcFolder)) | |
{ | |
mkdir -Path $rcFolder | Out-Null | |
} | |
Move-Item -Path C:\TestRole.psrc -Destination $rcFolder | |
} | |
function Register-CustomPSSessionConfiguration | |
{ | |
param( | |
[Parameter(Mandatory, ParameterSetName = 'Account')] | |
[string]$RunAsUser, | |
[Parameter(Mandatory, ParameterSetName = 'Account')] | |
[string]$RunAsUserPassword, | |
[Parameter(Mandatory, ParameterSetName = 'VirtualAccount')] | |
[switch]$UseVirtualAccount, | |
[string[]]$AllowedPrincipals, | |
[Parameter(Mandatory)] | |
[string]$EndpointName, | |
[Parameter(Mandatory)] | |
[hashtable]$RoleDefinitions | |
) | |
if (-not (Test-Path -Path C:\PowerShellTranscripts)) | |
{ | |
mkdir -Path C:\PowerShellTranscripts | Out-Null | |
} | |
$param = @{ | |
Path = "C:\$EndpointName.pssc" | |
SessionType = 'RestrictedRemoteServer' | |
LanguageMode = 'NoLanguage' | |
ExecutionPolicy = 'Unrestricted' | |
TranscriptDirectory = "C:\PowerShellTranscripts\$EndpointName" | |
RoleDefinitions = $RoleDefinitions | |
} | |
if ($PSCmdlet.ParameterSetName -eq 'VirtualAccount') | |
{ | |
$param.Add('RunAsVirtualAccount', $true) | |
} | |
New-PSSessionConfigurationFile @param | |
$param = @{ | |
Name = $EndpointName | |
Path = "C:\$EndpointName.pssc" | |
Force = $true | |
} | |
if ($PSCmdlet.ParameterSetName -eq 'Account') | |
{ | |
$cred = New-Object pscredential($RunAsUser, ($RunAsUserPassword | ConvertTo-SecureString -AsPlainText -Force)) | |
$param.Add('RunAsCredential', $cred) | |
} | |
Register-PSSessionConfiguration @param | |
$pssc = Get-PSSessionConfiguration -Name $EndpointName | |
$psscSd = New-Object System.Security.AccessControl.CommonSecurityDescriptor($false, $false, $pssc.SecurityDescriptorSddl) | |
foreach ($allowedPrincipal in $AllowedPrincipals) | |
{ | |
$account = New-Object System.Security.Principal.NTAccount($allowedPrincipal) | |
$accessType = "Allow" | |
$accessMask = 268435456 | |
$inheritanceFlags = "None" | |
$propagationFlags = "None" | |
$psscSd.DiscretionaryAcl.AddAccess($accessType,$account.Translate([System.Security.Principal.SecurityIdentifier]),$accessMask,$inheritanceFlags,$propagationFlags) | |
} | |
Set-PSSessionConfiguration -Name $EndpointName -SecurityDescriptorSddl $psscSd.GetSddlForm("All") -Force | |
# Create a folder for the module | |
$modulePath = "$($env:ProgramFiles)\WindowsPowerShell\Modules\$moduleName" | |
if (-not (Test-Path -Path $modulePath)) | |
{ | |
mkdir -Path $modulePath | Out-Null | |
} | |
# Create an empty script module and module manifest. At least one file in the module folder must have the same name as the folder itself. | |
$path = "$modulePath\$moduleName.psm1" | |
if (-not (Test-Path -Path $path)) | |
{ | |
New-Item -ItemType File -Path $path | Out-Null | |
} | |
$path = Join-Path -Path $modulePath -ChildPath "$moduleName.psd1" | |
if (-not (Test-Path -Path $path)) | |
{ | |
New-ModuleManifest -Path $path -RootModule "$moduleName.psm1" | |
} | |
} | |
$moduleName = 'Support' | |
$password = 'Somepass1' | ConvertTo-SecureString -AsPlainText -Force | |
$group = New-LocalGroup -Name Support | |
$user = New-LocalUser -Name Test1 -Password $password | |
$user | Add-LocalGroupMember -Group $group | |
$user = New-LocalUser -Name Test2 -Password $password | |
Register-CustomPSSessionConfiguration -EndpointName Support -AllowedPrincipals Everyone -RoleDefinitions @{ | |
'Support' = @{ RoleCapabilities = 'TestRole' } | |
} -UseVirtualAccount | |
New-TestRole | |
#$cred = New-Object pscredential('.\Test1', $password) | |
#Enter-PSSession -ComputerName localhost -ConfigurationName Support -Credential $cred |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment