Skip to content

Hybrid Cloud Blog

Welcome to our Demo Tuesday Series. Each week we will be highlighting a new product feature from the Hybrid Cloud Platform.

Don’t leave all of your keys on one ring

One of the new Privilege Identity controls in Windows Server 2016 is Just Enough Administration (JEA). It uses PowerShell to provide role-based administration. That way IT personnel have the keys to only what they need to do their jobs, without giving them full admin access. This “just enough” approach limits the potential damage that can be done by malicious insiders or criminals who have hacked a trusted admin’s credentials. Take a look:

In other words, you no longer have to give a frontline support tech the power to take control of your sensitive servers just to restart a service. Nor do you need to allow a helpdesk engineer to have full control of an executive PC to run remote diagnostics. There’s no reason to take those risks.

How Just Enough Administration limits risk

JEA uses a layer of “least privilege.”

  • Users can perform only those tasks for which they are authorized as part of their role by using Windows PowerShell constrained runspaces.
  • Users can perform required tasks without being given administrator rights on the server.
  • The tasks that users are allowed to perform, and their server access, are defined and managed from a central configuration server by using Windows PowerShell Desired State Configuration (DSC).
  • Constant logging details who has accessed the environment and what’s been changed.

And as for that Tier 1 frontline support tech who needs to help someone troubleshoot a server or desktop? They can use many of PowerShell’s diagnostic cmdlets to troubleshoot while having limited ability to add, remove, or change objects.

Watch more of the Windows Server 2016 demo series and learn more about security options with Windows Server 2016.