Starting with Icinga for Windows v1.6.0, we are supporting JEA profiles and provide all required tools to build a profile based on installed Icinga for Windows components.
JEA stands for "Just Enough Administration" and you can read more about it on the Microsoft Docs.
In short, JEA allows you to limit the access to certain Cmdlets, Functions and Binaries on the system. In addition, you can grant additional privileges to users to perform tasks, which are permitted to Administrators only in general.
With JEA profiles, you can for example grant permission to certain users or group to restart a specific service, after starting a PowerShell with a specific JEA profile. You can limit the access only to this command to be executed in this elevated environment, while all other commands or services are still not manageable.
In order to use JEA profiles, you will require the following system requirements:
- PowerShell 5.0 or later
- WinRM service configured
Using JEA profiles will increase security in a certain way, while also ensuring that you no longer have to manage certain permissions for the monitoring user account. Instead of granting permissions to certain services, WMI objects or anything related, each command is executed within the System
context. By defining profiles, you can ensure that fetching of these information is possible, but not modifying the system itself.
For monitoring for example, certain Scheduled Tasks
or even Services
are not accessible by some users. To fetch the vmms
service for Hyper-V for example, you need either to execute the checks in the context of Hyper-V Administrators
or LocalSystem
. Both are then unrestricted on how they can interact with Hyper-V, causing a possible security gap.
Icinga for Windows provides Cmdlets
, to automatically build a JEA profile based on your installed Icinga for Windows components. Each single used Cmldet
is being analyzed and checked for commands being executed, to ensure plugins have access to all required tools to properly execute them and return the plugin information.
By default, Icinga for Windows JEA profiles are created with the PowerShell language mode FullLanguage
. This in general allows the execution of ScriptBlocks
and other non-blocked Cmdlets, while ConstrainedLanguage
is more restrictive on which commands can be executed by default, prohibiting ScriptBlocks
and modifying global variables
later on.
If Icinga for Windows is used with the Icinga for Windows service, the ConstrainedLanguage
flag will cause the the service to not work, as the service relies within the started PowerShell session to modify global variables
, which is impossible in this mode. During development, we started to get rid of ScriptBlocks
and user other methods for creating the internal threads.
Starting a JEA session with FullLanguage
, will ensure that you can only execute commands you are permitted for. Any other command is not available and will be blocked. However, this changes once you create a ScriptBlock
, because these will execute commands even when you should not be permitted to execute them. To mitigate this problem, Icinga for Windows will not add any command or module which ships with ScriptBlocks
inside.
For better security, it is highly recommended to install the Icinga PowerShell Framework
inside a context, that requires administrative privileges for making changes. By default, this would for example be C:\Program Files\WindowsPowerShell\Modules\
.
The JEA profile generator will lookup the root folder, in which the Icinga PowerShell Framework
is installed into and only lookup Icinga for Windows components installed there. Any other Icinga for Windows module installed on the system is not included.
This will ensure that you will require administrative privileges beforehand to modify these files, to later execute them inside the JEA context.
To get started with the Icinga for Windows JEA profile, have a look on the installation guide.