1
00:00:01,340 --> 00:00:03,640
[Autogenerated] next let's turn our attention to just enough

2
00:00:03,640 --> 00:00:07,240
administration now we have G of course is in the library so I'm not

3
00:00:07,240 --> 00:00:10,390
going to reinvent the wheel by going over step by step,

4
00:00:10,390 --> 00:00:14,600
you can also check the exercise files because I have an excellent tutorial

5
00:00:14,600 --> 00:00:17,550
that I actually based this demo on as a matter of fact,

6
00:00:17,550 --> 00:00:18,920
but here's the high level view,

7
00:00:18,920 --> 00:00:23,000
we're on a system called V M three A and we want to create a

8
00:00:23,000 --> 00:00:27,040
custom session configuration that will allow our support

9
00:00:27,040 --> 00:00:29,370
people to run just a certain command.

10
00:00:29,370 --> 00:00:31,320
We're going to really restrict it.

11
00:00:31,320 --> 00:00:31,840
In fact,

12
00:00:31,840 --> 00:00:37,000
it's kind of a hello world example to create a GEA endpoint that allows you

13
00:00:37,000 --> 00:00:39,590
to work with the spolar service because let's face it,

14
00:00:39,590 --> 00:00:43,310
the prince puller is a pretty safe service to play around with.

15
00:00:43,310 --> 00:00:46,550
Generally when you're learning PowerShell you work a lot with the spolar

16
00:00:46,550 --> 00:00:50,050
service so we can see an active directory users and computers,

17
00:00:50,050 --> 00:00:52,810
I've created an organizational unit called JIA,

18
00:00:52,810 --> 00:00:56,630
in which I have created a global group called Spolar admins.

19
00:00:56,630 --> 00:01:01,190
And in spolar admins, I have my Stacy harmon support user.

20
00:01:01,190 --> 00:01:04,850
So the idea is we're going to create a constrained endpoint on this

21
00:01:04,850 --> 00:01:08,260
server that would allow her to make a PowerShell remoting session

22
00:01:08,260 --> 00:01:12,100
happen where she can restart the spolar service and she also can

23
00:01:12,100 --> 00:01:13,820
run who am I but that's it,

24
00:01:13,820 --> 00:01:17,650
so we can demonstrate it now if we were to do a standard connection,

25
00:01:17,650 --> 00:01:21,070
if we connected to the default session configuration number one,

26
00:01:21,070 --> 00:01:23,000
she wouldn't be allowed to do that anyway,

27
00:01:23,000 --> 00:01:26,570
but our administrators can continue to do standard PowerShell

28
00:01:26,570 --> 00:01:29,740
remoting against the standard session configurations.

29
00:01:29,740 --> 00:01:31,760
So what I've done to set up this server,

30
00:01:31,760 --> 00:01:34,760
let me show you, I've already got it running just to save time.

31
00:01:34,760 --> 00:01:40,200
Let me go to the PowerShell module path on this system and that C program files,

32
00:01:40,200 --> 00:01:42,020
Windows, PowerShell modules.

33
00:01:42,020 --> 00:01:45,490
I've created a folder called Spolar underscore admins.

34
00:01:45,490 --> 00:01:49,450
And in there I've created a session configuration file

35
00:01:49,450 --> 00:01:53,060
called Spolar underscore camp and you need to have a sub

36
00:01:53,060 --> 00:01:55,230
folder called role capabilities.

37
00:01:55,230 --> 00:01:58,880
As you see here and in there, I've got my role capabilities file.

38
00:01:58,880 --> 00:02:00,960
Spolar underscore admins.

39
00:02:00,960 --> 00:02:03,050
So that's the way the scaffold looks.

40
00:02:03,050 --> 00:02:06,900
Let me open up VS Code and let me show you what I've got going on here.

41
00:02:06,900 --> 00:02:11,170
You can create a new session configuration and a new

42
00:02:11,170 --> 00:02:14,280
capability file with PowerShell commands.

43
00:02:14,280 --> 00:02:16,770
We don't need to worry about all of those steps again,

44
00:02:16,770 --> 00:02:19,140
if you're interested, check the exercise files,

45
00:02:19,140 --> 00:02:22,750
but what is important is for you to understand the high level view.

46
00:02:22,750 --> 00:02:27,330
So first let's look in role capabilities and look at the role capability,

47
00:02:27,330 --> 00:02:33,170
script which has the extension P SRC that stands for PowerShell Role capability.

48
00:02:33,170 --> 00:02:36,230
Now we've got some matter and notice that when you create a new role

49
00:02:36,230 --> 00:02:40,130
capability file with the new PS role capability file,

50
00:02:40,130 --> 00:02:43,260
cmdlet it's heavily documented with comments.

51
00:02:43,260 --> 00:02:44,100
It's pretty cool.

52
00:02:44,100 --> 00:02:46,390
And the entire document as you can see online.

53
00:02:46,390 --> 00:02:47,520
One is a hash table,

54
00:02:47,520 --> 00:02:51,890
a key value set and the main things I want you to see here are

55
00:02:51,890 --> 00:02:55,220
let me come down to line 25 visible command,

56
00:02:55,220 --> 00:03:00,340
let's this is again going to be a hash table and array of commands that

57
00:03:00,340 --> 00:03:03,910
will be available in that gs session and at this point,

58
00:03:03,910 --> 00:03:04,930
the way I've set it up,

59
00:03:04,930 --> 00:03:09,010
there's literally just one command available besides there's a

60
00:03:09,010 --> 00:03:12,270
handful of defaults that come along for the ride when you

61
00:03:12,270 --> 00:03:14,440
create a new session configuration,

62
00:03:14,440 --> 00:03:18,850
but the only non default cmdlet I'm saying is going to be restart

63
00:03:18,850 --> 00:03:24,210
service and you can even cut down the parameters that a non or sub

64
00:03:24,210 --> 00:03:27,930
administrator can use when they're connected to your JIA endpoint In

65
00:03:27,930 --> 00:03:32,220
this case we're just doing the name parameter and spolar is the only

66
00:03:32,220 --> 00:03:34,740
valid name value in this case.

67
00:03:34,740 --> 00:03:36,640
So it's a pretty constrained service.

68
00:03:36,640 --> 00:03:39,640
If you look up above, you can work with aliases,

69
00:03:39,640 --> 00:03:43,070
imported modules, all that kind of stuff functions.

70
00:03:43,070 --> 00:03:46,460
The other thing for our exam purposes, I want you to see it, it's online.

71
00:03:46,460 --> 00:03:48,930
32 visible external commands.

72
00:03:48,930 --> 00:03:51,950
So these would be your x-axis that you're allowing and notice

73
00:03:51,950 --> 00:03:55,830
that I'm allowing only who am I dot exe So that's really what

74
00:03:55,830 --> 00:03:57,850
we want to see in the spolar.

75
00:03:57,850 --> 00:03:59,890
Admin's role capability file,

76
00:03:59,890 --> 00:04:03,990
it's defining what specifically is allowed to happen in the session.

77
00:04:03,990 --> 00:04:07,480
Now the session configuration file has an extension,

78
00:04:07,480 --> 00:04:10,070
PS sc for PowerShell session,

79
00:04:10,070 --> 00:04:14,730
configuration and here I want to draw your attention first of all to line 16.

80
00:04:14,730 --> 00:04:18,420
The recommended option here is restricted remote server which

81
00:04:18,420 --> 00:04:21,500
gives you just a handful of commands like I said,

82
00:04:21,500 --> 00:04:24,860
the default ones but you can choose empty and start from scratch,

83
00:04:24,860 --> 00:04:26,060
you can play around with that.

84
00:04:26,060 --> 00:04:30,560
It depends on that counter balance between the higher your security posture.

85
00:04:30,560 --> 00:04:33,800
The lower the net usability tends to be.

86
00:04:33,800 --> 00:04:35,930
So I've got restricted remote server.

87
00:04:35,930 --> 00:04:36,120
Oh,

88
00:04:36,120 --> 00:04:41,100
something I forgot to mention is whenever a user connects to Aguila endpoint

89
00:04:41,100 --> 00:04:44,480
their entire session is recorded in a transcript folder.

90
00:04:44,480 --> 00:04:47,440
So you want to make sure this folder exists on the machine?

91
00:04:47,440 --> 00:04:51,800
I do have a c transcripts folder that I created something else that you should

92
00:04:51,800 --> 00:04:56,040
know about that I didn't mention in the lecture portion is that you can

93
00:04:56,040 --> 00:05:00,960
configure your geo sessions to run with a virtual account.

94
00:05:00,960 --> 00:05:02,290
Now this is so cool.

95
00:05:02,290 --> 00:05:06,420
This means that as long as the session is active there's an account

96
00:05:06,420 --> 00:05:09,770
that's placed in the local administrators group for a workgroup

97
00:05:09,770 --> 00:05:14,200
computer or domain admins if it's a domain controller that exists

98
00:05:14,200 --> 00:05:17,280
only for the duration of that session.

99
00:05:17,280 --> 00:05:19,060
So it's an ephemeral account.

100
00:05:19,060 --> 00:05:22,370
Now you can use a group managed service account instead.

101
00:05:22,370 --> 00:05:25,530
But that virtual account of some really clever engineering.

102
00:05:25,530 --> 00:05:28,800
Now lastly online 28 role definitions.

103
00:05:28,800 --> 00:05:32,330
This is important because it maps your active directory

104
00:05:32,330 --> 00:05:34,940
or local groups to roll capabilities.

105
00:05:34,940 --> 00:05:36,740
In my case I have one group.

106
00:05:36,740 --> 00:05:39,530
Spolar admins and one roll capabilities.

107
00:05:39,530 --> 00:05:40,610
Spolar admins.

108
00:05:40,610 --> 00:05:44,520
So the only people who will be able to connect to this endpoint are

109
00:05:44,520 --> 00:05:47,930
members of that group which there's just the one and they will be

110
00:05:47,930 --> 00:05:52,190
subject to the role capabilities that we've specified in the spolar

111
00:05:52,190 --> 00:05:53,890
admin's role capability.

112
00:05:53,890 --> 00:05:54,440
Nice.

113
00:05:54,440 --> 00:05:58,120
So let me come back to my test file and I'm going to want to

114
00:05:58,120 --> 00:06:01,190
register this session configuration on this machine.

115
00:06:01,190 --> 00:06:05,080
And as you see online six register PS session configuration,

116
00:06:05,080 --> 00:06:09,790
you give it a name and then the path to the session configuration file.

117
00:06:09,790 --> 00:06:12,500
Let me right click this and run the selection.

118
00:06:12,500 --> 00:06:16,850
Now there's a warning that you have to restart the win RM service.

119
00:06:16,850 --> 00:06:18,530
So I have that online nine.

120
00:06:18,530 --> 00:06:19,820
Just as a convenience.

121
00:06:19,820 --> 00:06:23,990
Now it looks like mine bombed out because I already have a spolar

122
00:06:23,990 --> 00:06:28,280
admins session configuration already created on this machine but

123
00:06:28,280 --> 00:06:29,930
we might as well go ahead and test.

124
00:06:29,930 --> 00:06:33,580
Now now I'm signed in as my regular user, my tim user.

125
00:06:33,580 --> 00:06:36,650
If I do who am I let me clear the screen and I'm going to

126
00:06:36,650 --> 00:06:40,020
test by providing online 12 and 13.

127
00:06:40,020 --> 00:06:42,200
My enter PS session syntax.

128
00:06:42,200 --> 00:06:46,240
The VM is actually VM three a dot tim W dot info.

129
00:06:46,240 --> 00:06:49,930
I'm specifying configuration named Spolar admins and my

130
00:06:49,930 --> 00:06:52,630
credential is going to be my Stacy user.

131
00:06:52,630 --> 00:06:54,370
So let me right click and choose.

132
00:06:54,370 --> 00:06:59,500
Run selection that for some reason that line terminator kind of messed me up.

133
00:06:59,500 --> 00:07:02,100
Let me get rid of that line terminator and let me do

134
00:07:02,100 --> 00:07:04,290
this as a single line command.

135
00:07:04,290 --> 00:07:04,810
There we go.

136
00:07:04,810 --> 00:07:07,440
So let me provide Stacy's password here.

137
00:07:07,440 --> 00:07:12,110
I'm having some issues here in my Visual Studio Code PowerShell integrated

138
00:07:12,110 --> 00:07:17,250
console so I flipped over just to another console session and I was able to

139
00:07:17,250 --> 00:07:20,090
connect in as Stacy just fine as you can see here.

140
00:07:20,090 --> 00:07:23,890
So what I want to do is do a get command and we can see just

141
00:07:23,890 --> 00:07:26,590
that handful of commands that are allowed.

142
00:07:26,590 --> 00:07:31,550
Clear host, exit the session, Get command itself, get help measure.

143
00:07:31,550 --> 00:07:34,910
So there's really not much that somebody can do when they connect

144
00:07:34,910 --> 00:07:39,190
to Aguila endpoint other than any commands that you authorize so

145
00:07:39,190 --> 00:07:41,860
Stacy should be able to do a restart.

146
00:07:41,860 --> 00:07:47,960
Service of spolar just fine however get service is not allowed so it's

147
00:07:47,960 --> 00:07:50,660
not even available in the session as you can see here,

148
00:07:50,660 --> 00:07:54,800
remember that we're also allowing use of the who am I external command so

149
00:07:54,800 --> 00:07:59,410
let me try who am I but if we try to do a ping let's say the command

150
00:07:59,410 --> 00:08:08,000
doesn't recognize this is a heavily constrained JIA endpoint so to finish let me do an exit PS session and we're done