Just Enough Administration (JEA) โ Theory & Configuration
๐ What is JEA?
JEA (Just Enough Administration) is a PowerShell security feature that allows you to delegate administrative tasks without giving full admin rights. It enables role-based access control over PowerShell endpoints.
This is useful in enterprise environments where admins want to give limited, specific permissions to junior staff, services, or red teamers without compromising the entire system.
๐ฏ Objective in Pentesting
As an attacker or red teamer, if you find a system using JEA endpoints, you may be able to:
-
Abuse misconfigured role capabilities
-
Escalate privileges if the roles grant access to sensitive commands or files
-
Maintain access using available allowed commands
๐งช Example
https://github.com/sashathomas/evil-jea/tree/main
evil-jea connect adfs_svc 'S3cur!ty' 192.168.20.15This command uses the evil-jea tool to connect to a remote JEA-enabled PowerShell session on a Windows machine (192.168.20.15) using credentials for the adfs_svc service account.
โ๏ธ JEA Configuration Requires Two Files
To set up a JEA session configuration on a target system, the administrator must define two key files:
1. ๐งพ PSSC File โ PowerShell Session Configuration (.pssc)
This is the Session Configuration File.
๐ Purpose:
-
Defines who can connect
-
Specifies what role capabilities are available
-
Configures the language mode, transcript settings, etc.
๐ Example Breakdown:
@{
SessionType = 'RestrictedRemoteServer'
RunAsVirtualAccount = $true
TranscriptDirectory = 'C:\JEA\Transcripts'
RoleDefinitions = @{
'CORP\user1' = @{ RoleCapabilities = @('UserManagement') }
'CORP\admin1' = @{ RoleCapabilities = @('FullAdmin') }
}
}Key Fields:
-
SessionType: UsuallyRestrictedRemoteServer(limits what users can do) -
RunAsVirtualAccount: Runs the session in a temporary local admin context -
RoleDefinitions: Maps users/groups to PSRC roles (defined below)
2. ๐ PSRC File โ PowerShell Role Capability (.psrc)
This is the Role Capability File.
๐ Purpose:
- Defines what actions/commands are allowed for that role
๐ Example Breakdown:
@{
VisibleCmdlets = 'Get-Service', 'Restart-Service'
VisibleFunctions = 'Restart-WebApp'
VisibleExternalCommands = 'C:\Tools\Run-AppPoolReset.exe'
ScriptsToProcess = @('C:\Scripts\Init.ps1')
}Key Fields:
-
VisibleCmdlets: Whitelisted PowerShell cmdlets -
VisibleFunctions: Whitelisted functions -
VisibleExternalCommands: Whitelisted executables/scripts -
ScriptsToProcess: Scripts that load with the session
This determines what a user mapped to this role (in the PSSC) can do.
๐ Security Perspective (Blue Team)
A well-configured JEA endpoint is a great security boundary. However, red teamers or attackers can:
-
Abuse over-permissive role capabilities
-
Escalate if
VisibleExternalCommandspoint to vulnerable scripts -
Escape the sandbox if
VisibleCmdletsallow file or process manipulation
๐ง Summary Table
| File Type | Extension | Defines | Purpose |
|---|---|---|---|
| Session Configuration | .pssc | Who + What Roles | Maps users/groups to role capabilities |
| Role Capability | .psrc | What Commands | Defines what cmdlets/functions/scripts are allowed |
โ Final Notes for Your Workflow
If you find JEA configured on a target:
-
Check the PSSC to find what users are mapped to which roles
-
Analyze the PSRC to see what commands or scripts are exposed
-
Use
evil-jeaorEnter-PSSessionto connect and explore your limitations -
Try using allowed commands to pivot, dump credentials, or escape
whoami
$env:USERNAME
$env:USERDOMAIN
Get-Command
Get-Command -CommandType Cmdlet
Get-Command -CommandType ExternalScript