发表更新powershell / security1 分钟读完 (大约196个字)

PowerShell JEA安全架构解析

JEA端点配置

1
2
3
4
5
6
7
8
# 创建会话配置文件
$sessionParams = @{
    Path = '.JEAConfig.pssc'
    SessionType = 'RestrictedRemoteServer'
    RunAsVirtualAccount = $true
    RoleDefinitions = @{ 'CONTOSO\SQLUsers' = @{ RoleCapabilities = 'SqlReadOnly' } }
}
New-PSSessionConfigurationFile @sessionParams

角色能力定义

1
2
3
4
5
6
7
8
9
# 创建角色能力文件
$roleCapability = @{
    Path = 'Roles\SqlReadOnly.psrc'
    VisibleCmdlets = 'Get-Sql*'
    VisibleFunctions = 'ConvertTo-Query'
    VisibleProviders = 'FileSystem'
    ScriptsToProcess = 'Initialize-SqlEnv.ps1'
}
New-PSRoleCapabilityFile @roleCapability

会话沙箱验证

1
2
3
4
5
6
# 连接JEA端点并验证权限
$session = New-PSSession -ConfigurationName JEAConfig
Invoke-Command -Session $session {
    Get-Command -Name *  # 仅显示白名单命令
    Get-ChildItem C:\   # 触发权限拒绝
}

典型应用场景

  1. 数据库只读访问控制
  2. 第三方供应商操作审计
  3. 生产环境故障诊断隔离
  4. 跨域资源受限访问

安全加固要点

  • 虚拟账户生命周期控制
  • 转录日志完整性校验
  • 模块白名单签名验证
  • 会话超时熔断机制
关注我

链接

分类

最新文章

归档

标签

.net2
0day1
C#1
QQ4
acl1
ad2
ai2
ai-optimization1
angularjs3
animation1
apache1
appz1
asciiart1
att&ck1
automation23
azure1
azure-ad1
azure-functions2
azuread1
backup1
batch3
bestpractice2
block2
blog1
book1
breakpoint1
bug1
c#1
career1
cdn1
cheatsheet1
cloud1
cmd1
cmdlet1
code-generation1
command3
community6
compliance5
computervision1
conditional-compilation1
container1
cost-optimization2
csharp1
css1
data-structure1
data-structures1
database2
datacenter1
ddns1
debugging3
delicious3
develop2
device-compliance1
device-health1
device-management1
device-monitoring1
devops4
devsecops1
digital-assets1
docker2
dos1
download5
drone1
dsc1
dynamic-loading1
ebook2
ed2k1
edge-computing2
embedded1
encoding1
energy-optimization1
error-handling2
ethereum1
excel1
extension1
filesystem-abstraction1
flow-control1
front-end1
function1
functions2
gallery1
geek30
git1
green-computing2
gtd1
guide2
guideline11
gvim1
hashtable2
healthcheck1
hexo1
html1
hybrid-cloud1
iac1
icon1
ics1
ide1
industrial-iot1
ionic1
ip1
iso2
javascript7
jea1
kubernetes3
language1
lateral-movement1
learning6
lesson1
link6
linux1
log-analysis1
loganalysis1
machine-learning1
markdown1
metaprogramming1
metaverse2
microsoft4
microsoft-graph1
module2
mongodb2
mongoose1
monthly1
mqtt1
multi-cloud2
multicloud1
multithreading1
mvp1
natural-language-processing1
nlp1
node.js2
nodejs2
nosql2
oauth21
openai4
optimization2
oray1
packaging1
parameters1
path-handling1
picture1
policies1
powershell2071
powertip1976
predictive-maintenance1
preface1
privilege-escalation1
process-analysis1
productivity1
proxy1
psprovider1
qq2
red-team1
reflection1
regex6
registry2
release2
remoting1
repack1
resource1
resource-orchestration1
rest-api1
role-capability1
runspacepool1
scm1
scope3
script25
security3
security-monitoring1
series1976
server2
serverless3
skill4
smart-contract1
software1
sp11
stacktrace1
study1
style1
supply-chain1
supplychain2
switch1
terraform3
text9
text-processing1
threat-hunting1
tip1975
tip个1
tool1
uac1
unmanaged-code1
update1
variable1
variables2
video2
vim2
virtual-environment1
visualstudio3
vmware1
vulnerability2
web5
web31
window1
windows1
xampp2
xml1
zero-trust4
zerotrust2

订阅更新

×