I recently came across an interesting feature of Windows PowerShell JEA (Just Enough Administration) which by default makes use of Windows virtual accounts to run the remote end point in admin context. I also understand these virtual accounts are created ephemeral for that session and get destroyed when the session ends. This also by default has the local admin rights on the machine for that session while the user running the session is a standard user who can carry out privileged operations using that virtual admin account.
This got me into thinking - we have a few apps in our organisation which sadly need local admin rights to run. We are reluctantly granting admin rights for the users of those apps. So I was wondering if there is a way through PowerShell we can create this Virtual account for the duration of however long that application runs? What I am thinking is some sort of wrapper PowerShell which is targeted by the application shortcut which would internally first spin up this virtual account to run that app as? I am assuming we need to configure some sort of one-off constrained custom app-specific JEA endpoint during the installation of the application. Then again, if the app requires the launching user's context to access back-end database etc. I am not sure how that would be taken into account.
I was just wondering if you have any clever thoughts? Thanks, Steve
Related
We have a PowerShell script to pull Power BI activity data (using Get-PowerBIActivityEvent), and I have been trying to automate it so that it can pull this data daily using an unattended account. The problem is the script must necessarily use the Connect-PowerBIServiceAccount cmdlet, which requires a credential. I don't want to have the passwords hard-coded anywhere (obviously) and ideally don't want to be passing it into the script as a plaintext parameter in case of memory leaks.
I've tried using SSIS as a scheduling mechanism since it allows for encrypted parameters in script tasks, but can't call the PS script with a SecureString parameter since the System.Management.Automation namespace isn't in the GAC (a commandline call wouldn't be possible).
I don't believe task scheduler would offer the functionality needed.
Does anyone know of any elegant ways to connect to the power BI service using encrypted credentials?
In the docs of Connect-PowerBIServiceAccount there are 2 options for unattended sign-in:
Using -Credential, where you pass AAD client ID as username and application secret key as password
Using -CertificateThumbprint and -ApplicationId
For both options you need to configure service pricipal and add proper permissions. I'm not going into details how to configure that, but most probably you'd need (at least) the following application permissions:
I'm not really sure what functionalities you need in the script, but in my experience, majority of the cases can be covered by scheduled task, so the explanation below will apply to that solution.
How you can secure the credentials?
There are variuos possible solutions, depending on your preferences. I'd consider certificate-based authentication as more secure (certificate is available only to current user/all users of the machine).
What's important in certificate-based authentication - make sure that the certificate is available for the account running the script (in many cases it's service account, not your user account).
How can I secure more?
If you want, you can store application ID as secure string (I don't have SSIS to test, so I'm not sure if there's any workaround to make it working in there) or use Export-CliXml. They use Windows Data Protection API (DPAPI), so the file can be decrypted only by the account which was used to encrypt.
To add one more level of security (I'm not even mentioning setting correct access rights to the files as it's obvious) you might put the file in the folder encrypted (you might already have a solution for disk encryption, so use it if you wish).
There are probably some solutions to secure the keys even better, but these ones should do the job. I'm using other Microsoft 365 modules with similar approach (Outlook, SharePoint PnP) and it works quite well.
NOTE: If you need to use user account, instead of service principal, make sure that you have MultiFactor Authentication disabled on that account for that specific application.
The relevant documentation to this (https://learn.microsoft.com/en-us/power-bi/developer/embedded/embed-service-principal) states that admin APIs (i.e. those served via Get-PowerBiActivityEvent) do not currently support service principals. This means it's not currently possible to use a registered app to run these cmdlets unattended.
There is a feature request open to provide this at the moment: https://ideas.powerbi.com/forums/265200-power-bi-ideas/suggestions/39641572-need-service-principle-support-for-admin-api
I'm current using this sample as my test bed.
IdentityServer3.Samples/source/MembershipReboot/
I've assigned the correct permissions and read several other posts about this problem but I still get access denied.
My IIS app is running under applicationpoolidentity.
I suggest you to use IIS Local instead of Express to have more control with security. I hope you will get success with this following steps:
Install the certificate in the Personal directory of the Current User. (Help)
Assign a dedicated application pool to the IdSrv3 virtual application or website. (Help)
Assign your user as the identity of the dedicated application pool. (Help)
The user that run IIS must have the read rights on the certificates store where you put it. ApplicationPoolIdentity does not have this rights.
We currently have a FileMaker Server instanace running, it already has PHP web publishing running.
I'm just wondering is it as simple as ticking enable XML web publishing for it to be up and running or have I got to restart the server??
Thanks
You need to enable it in the server deployment, then you need at least 1 user account in the file with the extended privilege to grant access via php/xml/iwp etc. You will need a user account in EACH file you want to have access to with the appropriate extended privilege.
Then comes the fun of actually working with the FMXML or FMPHP engine hehe.
Scenario:
I have a console application that needs to access a network share with read/write permissions.
There is no problems when run it manually.
The problem:
When I add this application as a job in my quartz.net server, it cannot access the share. I do not have access to change permissions on the network share, so basically I need my quartz job or if necessary my quartz server to run jobs as me (or as a user that has the proper permissions).
Any ideas in how to accomplish this?
Thanks
You need to change the user that the service is ran with (so this actually isn't a Quartz.NET issue). Open service properties in services and change the user from SYSTEM or NETWORK SERVICE to some named user account that has proper rights to the network share.
You can also use impersonation to change the user you're running as on the fly.
I have been maintaining an installation for a while but I am not really an expert. now I've been asked to come up with a solution for this:
Our software is always sold together with a computer as it has to be run in a very controlled environment. The installer needs administrative privileges to be executed. So far we had two different users, one with administrative rights and other one without. Our custumer service login as Administrator, install the software and restart the machine so that the user can access as a normal user.
Now we want the user to be able to install the software themselves but we don't want them to have access as an administrator because they can modify things it shouldn't be modified.
So, is there any way to programmatically raise the user privileges during the installation and afterwards lower them back? The installer is made using InstallShield but we use vbscript to check some pre-requisites.
Check out CPAU. It allows you to create an encrypted command that will run the installation as administrator.
EDIT: This is a more comprehensive list of like tools.
If you are looking for a toolkit to do this kind of thing, well, Microsofts MSI technology has this built in: Administrator access is required to install the initial MSI file, additional patches (MSPs I think) are digitally signed by the original MSI and are thus deemed safe - users can install them without requiring administrator elevation.
You can do the same thing: As part of your administrative install, install a service. The service can create a named pipe - that you explicitly give user ACLs to - or even just a socket or monitor a drop off folder that allows the user level code to communicate with the service code (running with SYSTEM or configured access). The service can then use its SERVICE or configured account level permissions to either impersonate an administrator, or do other tasks on the behalf of the user without EVER giving the user any kind of elevated permission - even temporarily.