Getting started with Just Enough Administration (JEA) by Jason Helmick

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

this morning so real quick I got a lot of stuff to talk about so I just want to make sure you in the right place so notice the title says getting started here's the deal this is part 1 of part 2 there are two parts there's parts afternoon being done by a guy named James did are you still did you James nope okay James petty let me explain I'm gonna go through the very very basics lightning fast show you how this works why it works the way that it does and give you some code that you can use and play with wherever you want but it's the basics boys and girls James is gonna take you to the his real world implementation that he does at the office of Gaea I'll talk about Microsoft and you know Azure stack does it all that but so he's gonna go hardcore advanced does that make sense okay so if you're not interested in the basics of Gaea cuz you already know it or something go somewhere else but it could be fun so here we go everybody pull out your phone don't take all day take a picture of that dream home now guys that will go live tomorrow afternoon after my last session there will be code there will be slides there will be happiness and joy yes good the one up here if you want more details on this and there is about a four hour video series I did on Jia it will get you from zero to hero up to being able to implement it and there's a lot of unique things in that series because it's based upon what Microsoft dog foods and they've been successful at and things that they haven't so it's kind of a nifty thing yeah we good yeah if you haven't seen one of my presentations before I never use slides past this point oops now don't know I know you kind of like oh no he's gonna have lots of these are good slides and then I'll show you some code yeah okay so hang on let's muscle up and it'll all be good at least that's the theory so you guys know remoting right yeah so you know the basics of promoting you know if you went to Richard session well you know much more than the basics but here's the idea I'm gonna get the required requirements in a second but you guys know what remoting is you want to get out there to do something so you're oops come on slide you're gonna connect to an end point you guys know that there's commands you can see the end point you're gonna see them here normally when you use remoting it just does pass through authentication or you use different creds but you connect to the end point and you have full control over the entire machine yes well that sucks do you ever make mistakes you know how you know Houston over says that he's he's deeply flawed that's why PowerShell is the way that it is he a lot smarter than me so I am like seriously deeply flawed because if I'm not screwing up I'm not doing much at all so here's the thing the idea is that we can decide what you're allowed to do now if how many former exchange people do I have okay now well I was gonna say how many of you haven't learned that your former I was want to so now when exchange 2010 came out they came on they talked about are back and all this kind of stuff this really cool way to set permissions and if you muscled up to figure out how to actually do that through PowerShell Congrats cuz you're one of the five people that could actually pull it off then in 2013 they made it a little bit easier thanks to all of the hard work that the exchange team did we now have Gia this was originally written by Jeffrey Snover to help with a problem that was distributed using DSC that is not the case anymore you can do this anywhere anytime and it's easy to deploy either whether you use DSC or not but the concept is this when you connect to that remoting end point I can decide not only what commandlets you're allowed to run I can decide what parameters on those commandlets you're allowed to use and I can decide what you're allowed to type in as a value that's how granular we can get now you might be saying oh Jesus this could take me till the next millennia to figure this crap it's not as hard as you might think it is it is an iterative process though and that's we're going to talk about so some of the requirements look guys these haven't changed you can run Gaea as long as you're running a modern operating system within reason if you're running 2003 you already know you're screwed it's not gonna work on that but other than that what's in geniu works with all the stuff now so you can implement this immediately if you wanted to so here's how this works again I'm gonna give you the same picture there's a couple of things that you're gonna need to make Gaea work if you google gee I'm gonna warn you right now be careful you might be looking at information for the first version of it which is completely different so you want to look at this one and that's all I'm going to show you I'm not even show you what the first version looked like because it doesn't matter now you're gonna need two things you're gonna need two configuration files on that machine I'm gonna explain in detail what those puppies are well kind of detail one of them is going to be called a session configuration don't panic I'll show it to you but what that does is you define who is allowed to use the endpoint and with that well okay Bob you're allowed to use the endpoint with that you also specify the second file you need which is now guys I say this wrong constantly I don't know why I don't um it's the role capability file I might say compatibility file because my brain can't function I'm wrong when I say that you yell it out and correct me it's capability okay now the reason I'm telling you that its capabilities is because wait a minute that's what that file now defines what commandlets what functions what capabilities are you allowed to have down to the granular level of parameters and arguments so how many files do we have what does the session config do who and what does the role capability file do I'm so glad you guys can read that's awesome all right so I want to talk about virtual accounts some of you may already know about these originally when I was doing this in the video this was brand-new this whole new gia thing was brand new and so a lot of people didn't know about this but and you may not but here's what's happening we never let you with intent and you've probably heard this this week be an admin in the previous definition of an admin previous definition of an admin is the godlike creature that has all power what's wrong with that hmm what's wrong with giving you all power do any of you make mistakes there's one the other thing is is I know you guys aren't but have you ever experienced an admin that was a thief that was looking at things like payroll and things like that well this is why this is some of the reasons why you can't be allowed to do that but that doesn't mean we're hosing you we're gonna give you options but we need to be careful about how we do this to maintain the highest level security we can here's one of the things when you use PowerShell remoting and you not using Gaea you connect to it and your your your elevator does admin yay you have all powers over that box we don't want that when you connect you're gonna connect as and I I don't know how to really get this into your brain in other ways but other than a you're gonna be nothing more than a user I know I know I you just wanna hook yeah that was before lunch I was probably not cool anyways yeah no you know how you you know anymore at my office we do we have a user account we just regular user that we do our regular stuff with and then if we need we sign in as this godlike creature yeah it's the godlike creature account that you didn't sign out of that's screwing us over with the malware and your buddy sitting next to you that's going hey I wonder if this guy makes more than me now so when you connect you're connecting as just a regular user what does a regular user have the ability to do on a pretty much crap that's the way we like it but you need to do stuff you need to be elevated while you're there so we're gonna elevate you with a virtual account here's the best thing I'm not gonna have time to actually show you the count and how it looks but it is let me bring the little sign up regular user you'll connect you'll get elevated as a virtual account this account has a unique name that dies when that session dies people all the time say you know one of the things that impacts it is you know you're signed in as admin you can get malware that's gonna use that information to keep you signing dude it's mean things guys the account dies so if you got malware guess what the malware no longer can do you you need this yeah if you were at Lee Holmes's talk if you if you're thinking I should say you early homes the talk and you can still think so but you got to think about this we have a solution that works and it's not a project that's the hardest part it's not a project it's not well we're gonna do this Gaea thing and then next month we're gonna move on to something sequel no this is an iterative process that you must constantly this becomes part of your daily weekly thought processes because that's what it's going to take however the value you're getting from this how much do you know about Azure stack you heard jeffrey wright on the first day talking about you know it takes two keys to become god you have one of them one we have the other we're symbiotic here's a deal when you do become God we sometimes call that break the glass we're gonna track everything you do we're gonna log it we're gonna put it in a transcript I mean everything everything you type all the values you get and by God put a little workflow in that if somebody breaks the glass those transcripts immediately go to Auditors whoever managers whatever so that everybody's aware that something has occurred and what exactly happened you don't have that admin sitting there at three o'clock in the morning trying to figure out what they were doing in there at that time so this is really really really kind of cool and I got to really start moving along if I want to show you some codes so let's try this nope that's not the code I want to show you don't forget this presentation went down the hill really fast so I this isn't just one file that you can play with I put everything in there my idea in this file is you don't have to pre setup anything I've got the code in there that'll do everything that I'm showing you right so if you just want to play with it on a VM or something you can now so here's what I'm gonna do is first of all I want to show you something so I'm gonna go down here and I'm gonna create some folders I'm gonna create a folder called test look at these two command let's what do you think the role capability command 'let us creates the role capability file what do you think the session configuration file command lead now remember I told you you need two things you need these two files how do you make them you run those commandments now good news better news awesome news these are good Commandments these Commandments have parameters for everything you're gonna need like what functions what modules should this person be allowed to use what command let's what parameters what arguments that's good you got a crap-ton of parameters to do that for you so you can make beautiful long wrapping lines and then you can put all those back ticks in there so you can make it try to look pretty what's gonna happen the first time you touch it to make a change you're gonna forget this backticks that you can't see and those long lines are really unreadable read about whatever you can't my let me show you another way this is better it's not best that it's better so let me first of all I'm gonna run these I'm gonna create the folder I'm gonna run these I think I forgot how to get to a function key on this all of a sudden so let me do this where's my oh crap I just have to find my function keys at the moment how did I forget those I am let's see is eerie graphically is anybody using BS code and use a graphical way to do this and okay well this will be fun if somebody sees it Wow and by the way what a perfect demonstration of why graphical czar opinion yes oh yeah thank you [Music] oh I lost my highlights you know what there's a reason I put a break statement at the very beginning the script think that through so let me highlight it again is that going to happen to me all the time for summer I had a much much better way of doing this but now I can't figure it out shut up anyways so go back to this so here's the deal I'm gonna launch these little guys I think and now I really have to hustle if I'm gonna do it this way come on code bring them up I don't think it did it right clicking at the moment is also very difficult stop laughing at me now there's something on the screen I need you to see while I'm screwing around trying to get this puppy to run I want you to notice the extensions on these files that is something that and they were on the graphic you-you-you need to pay attention to now oops that's not helping me where's PowerShell let's do it the old-fashioned way yeah we're gonna we're gonna do it this way oops I put it at test I think tonight yeah oops please tell me you ran okay so this is getting any more entertaining let me just do this cuz I got a lot of code here to try to get through oops I just think maybe I found my or at least a way you're still not doing it yeah you're right you're right you're right let me do this it doesn't look like it's actually running anything do this that ran didn't it I think so alright so I'm gonna give you the code you can run through it but I'm gonna show you this code because I need you to see this the only thing you're gonna see me running it is it going okay so now here's the deal when you run these the files that get created are very detailed if you open them up they're all commented out but they have examples of what to do so here's the deal you can use the parameters to do all of this or you can directly edit the file anybody have problem with that yeah besides me dudes it's gonna be really hard to not screw up everything every time you touch this file it's confusing it's complicated the syntax is picky if you knew something else you could use the commands and it would automatically build these files for you and it would be easy to maintain you know have you ever heard about something called splatting I don't splat often but when I do it's jeah so yeah I know it was a crappy joke but hey so here's the deal I also in here have users that I use in this example that just creates so ad Commandments are just creating some users down here here's some more directories let me explain what you're seeing here's what we're gonna do if you're googling and you see thing about AG a resource kit being done through a DSC that's the old one the new one G is part of your modules you guys know what modules are right so what what this does is we're gonna put a folder right off of your module so when you make a module like a program polar you know Windows PowerShell modules you just make that folder and then you make another folder underneath take a look up here you'll see it's a oh you can't see but you guys know how to make a module I don't have to really sit here and show you but look I'm creating a module in here called Jia print operators that's a module here's the best part notice that extra folder there called the role capabilities that's where that role capabilities files going to go I have a question for you the role capabilities file goes with the module if you want to deploy this to ten machines take a guess what do you think you need to do X copy yep you're not done yet now put some juice into it if you got a pipeline or you get products you can use DSC for this what's really cool is if you have a pull server and you put the modules on the pull server when the boxes need it they get it it's not just your modules it's Microsoft modules it's everybody's modules that means G is with everything you can attach it to everything including your own stuff I wrote 50 functions but that guy over there he's pretty smart I'll let him have 40 of them but that guy oh he scares me when he gets a cup of coffee he gets three you have complete control over your stuff - is that cool okay so you make a module you add in an extra folder and let me show you a mind little trick I know this looks a little bit confusing but take a look here notice I am splatting I've got a variable there and I want you to take a look at some of the things I have in let's take a look well there's author company name what modules do you want to import well in this print operator uses their endpoint what do I want them to have well let's see what does a print operator need what what does every print operate who here has been a or is a print operator you all have been print operator stop now what's the most common task is a print operator when something goes wrong what's the first thing you do okay the spooler service not the workstation service more on the spooler service this prevents mistakes because I am going to make sure that the and I'll bring it up here so you can see it I am going to make sure that things like restart service I don't want them to have all of the parameters they're a print operator they need to specify the name parameter and hey how many of you've written advanced functions in PowerShell validate set they're allowed to type the word spooler you know if they type a different word I swear it it's hilarious I'm gonna see if I can restart or crash this service or this server or something I'm not typing spooler I'm gonna type in bits okay that was supposed to be funny because it doesn't do anything to you that's why you see it in every frickin book we write and stuff like that because it can't hurt you anyways so he types in bet gets a big pretty error message if you do advanced functions and you do things like validate sets you get in 3d air mesh it says hey the only thing you're left type is spooler I've locked them down so here's what I really need to think about the technology is now easy to do and the reason that I splat I can maintain this I can run this 50 times a day making small changes rapidly to get the role perfect am i got to make the role perfect nope the people using the role are going to help make me perfect with it and it's gonna take time they're gonna say you know what I'm a print operator you let me restart the spooler service but occasionally I need to get some IP address information can you let me see some IP information well certainly I can let you have some IP in front where do I have it here oh ooh I'm gonna let you use the net tcp/ip but do you see what I'm doing only let them have get because I want them to be able to change anything so I'm defining this role what should my print operators be able to do I'm gonna start with the basics I'm gonna get this role out to him they're gonna connect and use it and then they're gonna say you know what almost every other day I need this too okay from the print module okay I'll do that in other words we'll work together to make the right role but here's the thing you as the user that's going to manage the printers you don't make the decision you make a request we decide whether that's the right thing for you if it's not it's not now we do this for your roles is anybody so I want you think about this just like looks something like the you know Azure stack which does this amazingly well at some point you're gonna need that oh crap it's 2 o'clock in the morning I just signed in and I'm a print operator and I can restart the spoolers but there's so much crap going wrong I need to restart some servers and make some change and I can't do it hey if there's a fire what do you do well that's cool I like that as you're running out the door call the fire department you know would be really nice how about telling your friends there might be a fire and you need to leave so ya break the glass hit the button at least be courteous and then you can run like hell um don't get in my way [Laughter] so yeah break the class you can have an endpoint that gives you the godlike thing but we can as I mentioned it'll it's gonna get log we're gonna track everything you do add a little work but so you can break the glass if it's emergency and solve the problem but everybody's gonna know about it now with Azure stack Jefferies sitting right here with Azure stack I did I just I just love that takes - I don't know I meant to ask this early on who are my security guys the guys that put know in innovation I want you to think about something you your security people so Geoffrey said you know DevOps has really two things doing small things rapidly and what was number two yet don't be an to the people you work with I just said that I can't believe I just said don't be a jerk to the people you work back here's the thing Tibet devs IT guys we've been fighting and argue and we blame security guys think about security guys for a minute why don't you like security guys and why don't security guys like you because you run up to them going I'm gonna install this thing that's gonna let me manage everything in the world it's gonna be awesome what's a security guy gonna say let me explain to you how PowerShell remoting works so let me show you how the security and the protocol works as a matter of fact here's an entire write up that power shout out or created as a free ebook so to help you get the information that you need so that you can realize that this ain't a thing security guy looks at it realizes we let SSH we might as well let this in other words you start talking to each other using each other's languages and realizing what your what problems you're trying to the security guy needs to have security updates on now zero day I don't have time to wait for you and you're fighting no we got a maintenance window in a month or two we'll figure it now work together and if your DevOps then it's like we'll put that in now but see you start working you start working with each other and helping each other with this stuff anyways you define the roles you have a break glass option there is something else you have to do you got to create that session configuration I've got an example here of splatting it and actually James is going to talk more about that particular file so I'm gonna leave it to him and the next thing you need to do and I give you the code for it is these end points don't just magically happen you have to register the end point now I am going to put it's not in there now but when I'm this repo goes live I have a cool piece of code it's also if you go watch the video series you can download it it's what I was using and still do when I do deployments that are non DSC deployments of Gaea I had this great little thing that runs at each machine to do the registrations now when you do a registration you're running a command lit but there's something you're messing with remoting so when our rooms got to do a restart the service does and it does and it does it automatically for you it'll give you a message saying I ain't admitted restart pass sometimes it doesn't so here's the thing it can be frustrating if you don't realize the service never started cuz it's never gonna work but you'll sit there for days troubleshooting it because you're do stupid to look up to see if the service is come on that's funny that's like I yeah I was an entire array I was doing an update or not an update and upgrade I'm doing kind of like a migrate the entire array stopped working suddenly I came back from it you know and it's done your race gone and I was doing all kinds of stuff I don't know and I couldn't figure out this a long time ago his own netware and I couldn't figure that crap out call up now and you know when you get those people you know they they don't know who you are or what you know so they got to start with the things like is it plugged in is it turned on is eventually well I don't like that so they come up and they say well is it plugged in it you know is it turning I don't die not give me to a real engineer and oh let me call you right back that's how it works so yeah turn that bad boy on now once it's registered in the code that I give you in here you can modify it anyway well you want what I'd like to do is register the endpoint and make sure that I restart the service that way I don't have to deal with any weirdness and now you can test it and here's the thing I want you to see now I wrote this because I'm already signed in as an administrator but usually you'd be signed in as a user you just do enter PS session the Box you want to hit and the name of the configuration that we gave it in this case print operator boom that's it you'll get in now what happens to a regular user normally if they tried to do inner PS session go to a a remote machine access denied well now when they try to hit that end point that end point has that configuration file that says who is allowed oh are you in oh you're in the and then you can do it like for Active Directory groups individual user names however you want to do it oh you're in the and I like to create groups for Jia operators that are Jia under underscore whatever you know they do and oh you're in that group therefore you are allowed to use remoting and we'll connect you to that endpoint and we'll read that capability file and that's what you're allowed to do so as a user which you will be and it make no doubt about it this is going to be your life someday maybe not today but it will be you will connect and you will get in and you will only get what you're allowed to have period and it's this easy if you splat it you can edit and get another one out because you run this and just but but it makes those files and here's the best part if you've registered the endpoint once and you're just making changes to the capability file you'll have to re-register it so you can sit there and do that over over over it's not working now it's working ok great keep going keep going let's do it better make more make more so oh don't wig out on me all right now that you took me into my presentation boo how do I get back into it there we go thank you and you jump slides so a couple of things real quick and then because I'm running out of time here first of all see James this afternoon if you're are anything with Jia cuz he's gonna go through all this I just want to give you some centralized deployment I've already talked about this is basically a copy deploy however if you are doing configuration management you are right don't it's ok you don't have to lie to me but anyways if you're doing configuration minutes it doesn't matter what product you're using do you see is a platform it works with puppet and chip and you guys know this or you can do it yourself with DSC and you can do the deployments that way which is the way I usually do them because I doing the pipeline stuff so this is actually kind of cool that you can do it with DSC it's all great you can copy it out it's very easy now a couple of things that and you guys know this Microsoft season you know a lot of benefits to not letting you know one of the best stories I heard you guys see jeopardy was talking about Ezra stacking he brought up the the diagram of the architecture advisor stacking what the best part about that diagram is you don't care because you ain't allowed to touch it anyways ever so why do you care what the arc internal internals are doesn't matter you can't touch it think about this Microsoft gave you the finest security tools in the world I have a question for you are you aware up now do not answer this question are you aware of any user that has elevated privileges or more permissions to shares than they're supposed to have whose the security problem the user or you we gave you the best tools I say we as if I did it I knew crap Microsoft gave us the best security tools what we didn't do was what we were told to do so guess what we can do now all of those 30 years of crappy security oh I'm gonna have to pull all that out no screw it go to gia we're gonna lock that thing down and in the problem period you got to be excited about that I know you feel like well don't take power away we're not taking power away we're controlling when you use your powers so that you only use your powers for good and if you don't we're gonna know it and then do bad things to you so yeah kinda sorta you can already guess what some of the challenges are hey print operator you manage printers through a gia endpoint what you print operate most print operators today gonna say okay first of all I expect little but why'd you say yeah let me show you how to do this they don't know PowerShell here's the thing guys we are at well past 11 years now the PowerShell being out I am up to here hearing that a done with hearing that excuse well I haven't had a chance over the last 11 years to get off my lazy ass well you know what you need to help them because they don't understand why I hear from guys all the time going I was gonna get in that PowerShell thing I just don't really need it they don't know why it's not that they're stupid nobody's explaining it to him you have that ability you can get them on board and get in learning but you're Gaea implementations gonna suck unless you got some people that know PowerShell that's gonna make it easier or you've got some graphical utilities that use PowerShell remoting cuz guess what those utilities are gonna then they're gonna be restrained or constrained by doea so there's a lot of work that goes into this but when you are successful with this every day that you're making a role a little bit better you're reducing the attack surface for your company it's an iterative process but I need you to understand it isn't you get all the benefits at the end 5 years from now you get the benefits from the very first thing you're doing you're improving your corporate security that's a pretty good story to tell leadership team what do you guys do today tightened up security oh good thanks appreciate that what'd you guys do today well we had to rebuild a server and can't you guys do that crap faster get a pipeline get see but stink now you can do things like get a pipeline so you can react to things faster and you can spend more time on Gaea and your security and really pay off for the company that way you guys have known that you'd listen to somebody like Lee homes it looks pretty bleak cuz it's pretty freakin bleak did you guys watch the Zuckerberg yesterday yeah he was really prepped well wasn't he cuz I didn't think you know he could put two English words together without you know being confused because he's so smart the language doesn't even really need to be used but yeah he's he's saying look guys we're doing our best and we're getting creamed we need help so it's tough out there well here's your help so now a couple of concepts and it's going to be really quick we have something called just in time those of you that work with Azure you can do this those of you that have Active Directory can do this the AI concept to Just In Time is this I give you the ability to use G on your a print operator but the only time thing about this the only time I want you to have the privilege of using remoting as a print operator is when we have a problem if we don't have a problem you don't need it you shouldn't be messing with it because if you're messing with it you might cause a problem so just-in-time is think of it like this way let's say you had a ticketing system or the ticket comes in a printer XYZ is not printing alright I'll take that ticket boom now you have been given the privilege and it's going to end on a scheduled time so let's just say ah the printers not printing boom you got 15 minutes to figure that sucker out before we pull old crap well thank God we're starting the spool of services quick but you get the idea so just in time they did juju gia so gia just in time just enough administration is that kind of a cool thing people are doing this now this is not just like some time and if you know today now companies are doing this some companies really want to do this they're just a little bit slower at it so I also have a slide that you're giving where I'm just mentioned the technologies for Gia so I'm going to open up for questions as I start running out of here but here's the thing this was to get you started so that you can hit that real world one with James petty this afternoon well he'll go through and show you how he does it at his company and how he's been doing it so you get some real good experience there yes sir if you have them go through remoting to the local machine yeah you have to connect through a end point so I I do this all the time because this actually irritates me where where what I'll be doing is I'm just playing with some BM lab machines to test out some code or something and I'll go to myself and I'll be restricted damn it I forgot that I had this so yeah you can do that as long as it goes through the end point um guys again this is where the stuffs gonna be I'm gonna start strolling out there I'll be out there if you want to talk about it that kind of thing yes sir go ahead oh we got time for that part me this will not apply the configuration filed one apply to new SSH I didn't hear the last part we're talking about PowerShell remoting who knows what may or may not happen in the future so do you kind of get the idea here they it don't be afraid of this this is for all our benefit so thank you very much have a wonderful day [Applause]

Info

Channel: PowerShell.org

Views: 5,322

Rating: undefined out of 5

Keywords: powershell, windows powershell, techsession, powershell summit

Id: zftC6eDzRJY

Channel Id: undefined

Length: 41min 20sec (2480 seconds)

Published: Wed May 02 2018