Windows Unprivileged - Windows Features
Administrators rights are required to install Windows Features.
Right? No.
Turns out an unprivileged user can be given permissions to install or remove any Windows role or features they want and it won’t lead to worse problems than giving that same user administrators rights instead.
Note that absolutely none of this is authoritative or directly based on relevant documentation. It’s mostly what I found and figured out and guessed and (in some cases) made up. Some of it may be wrong or dangerous or lead to disaster or confusion. I am not taking responsibility here for anything, not even spelling or good taste. Read and act on it at your own peril!
This is where Just-Enough-Admin can help.
Just-Enough-Admin (or JEA) is a feature of the Windows Remote Management service that allows WinRM (the Windows Remote Management service) to act on behalf of a connected user. It is in purpose similar to sudo on Unix systems or installed images on OpenVMS. It has two general drawbacks: It only works in non-interactive mode (i.e. you cannot start programs that require user interaction or use a GUI) and it essentially trusts WinRM not to mess things up.
Create a Just-Enough-Admin configuration named WindowsFature.
PS C:\Program Files\WindowsPowerShell\Modules\JEA> New-PSSessionConfigurationFile WindowsFeature.pssc
And create a group JEA_WindowsFeature.
PS C:\Program Files\WindowsPowerShell\Modules\JEA> New-LocalGroup JEA_WindowsFeature
Make three changes to the WindowsFeature.pssc file created:
- Set SessionType to ‘RestrictedRemoteServer’.
# Session type defaults to apply for this session configuration. Can be 'RestrictedRemoteServer' (recommended), 'Empty', or 'Default'
SessionType = 'RestrictedRemoteServer'
- Set RunAsVirtualAccount to $true.
# Whether to run this session configuration as the machine's (virtual) administrator account
RunAsVirtualAccount = $true
- Configure RoleDefinitions to use WindowsFeature.psrc.
RoleDefinitions = @{'JEA_Windowsfeature' = @{RoleCapabilities='WindowsFeature'}}
(Let us consider these three changes our default changes for each JEA configuration, with the third pointing to different groups and rolecapability files obviously.)
Then create a role capability file for this thing.
PS C:\Program Files\WindowsPowerShell\Modules\JEA\RoleCapabilities> New-PSRoleCapabilityFile WindowsFeature.psrc
(Make sure the file is in the subfolder RoleCapabilitites at the same level as the WindowsFeature.pssc file.)
Add the following entries to the file, at the appropriate places per the hints given in the template file.
ModulesToImport = 'ServerManager','Dism'
VisibleCmdLets = '*-WindowsFeature','*-WindowsCapability'
That’s it. You might want to add more, like ways to regulate what exactly a user should be able to install or remove, but after some very little thinking I came to the conclusion that it is not worth it. Instead rely in monitoring to catch what the user might have done wrong and correct it. None of what the user can install or remove here can comprimise the system in any way and a destroyed server is a secure server. If you have users that should add remove Windows features or roles, you have already decided that you need this things to be done. This merely stops giving them more rights than they need to do this.
Register the hell out of this JEA configuration:
PS C:\Program Files\WindowsPowerShell\Modules\JEA> Register-PSSessionConfiguration WindowsFeature -Path .\WindowsFeature.pssc
Now add a user to the JEA_WindowsFeature group and let him enjoy his powers.
PS C:\> Add-LocalGroupMember -Group JEA_WindowsFeature -Member benoit
PS C:\> Get-LocalGroupMember JEA_WindowsFeature
ObjectClass Name PrincipalSource
----------- ---- ---------------
User CHAMPIGNAC\benoit Local
PS C:\>
You might also want to give the group the privilege needed to shut down or reboot the computer:
PS C:\Program Files\ABTokenTools> .\AccountRights.exe JEA_WindowsFeature SeShutdownPrivilege
0
SeShutdownPrivilege
1
PS C:\Program Files\ABTokenTools>
Benoit:
PS C:\> whoami
champignac\benoit
PS C:\> whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ============================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
PS C:\> Import-PSSession (New-PSSession -ConfigurationName WindowsFeature) -AllowClobber
ModuleType Version Name ExportedCommands
---------- ------- ---- ----------------
Script 1.0 tmp_oq0ydpru.wh3 {Get-WindowsFeature, Install-WindowsFeature, Uninstall-WindowsFeature}
PS C:\> Add-WindowsFeature -Name Web-Server -IncludeAllSubFeature
Success Restart Needed Exit Code Feature Result
------- -------------- --------- --------------
True Yes SuccessRest... {Application Development, Application Init...
WARNING: You must restart this server to finish the installation process.
PS C:\>
Now benoit might want to restart the computer.
WindowsFeature.pssc
WindowsFeature.psrc
Next: How to JEA IIS.