{"id":1611,"date":"2014-07-21T12:09:00","date_gmt":"2014-07-21T12:09:00","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/powershell\/2014\/07\/21\/creating-a-secure-environment-using-powershell-desired-state-configuration\/"},"modified":"2024-02-22T11:01:34","modified_gmt":"2024-02-22T19:01:34","slug":"creating-a-secure-environment-using-powershell-desired-state-configuration","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/powershell\/creating-a-secure-environment-using-powershell-desired-state-configuration\/","title":{"rendered":"Creating a Secure Environment using PowerShell Desired State Configuration"},"content":{"rendered":"<p style=\"text-align: left;\"><span style=\"font-family: verdana, geneva; font-size: small;\"><strong>Introduction:<\/strong><\/span><\/p>\n<p style=\"text-align: left;\"><span style=\"font-family: verdana, geneva; font-size: small;\">Traditionally, IT environments have secured their business critical information against external threats by adding additional layers of security to the org\u2019s network (e.g. firewalls, DMZs, etc.).\u00a0 <\/span>\n<span style=\"font-family: verdana, geneva; font-size: small;\">However many of today\u2019s attacks are coming from inside the network so a new \u201cassume breach\u201d approach must be adopted.<\/span><\/p>\n<p style=\"text-align: left;\"><span style=\"font-family: verdana, geneva; font-size: small;\">In this blog, we show how to create a secure environment to run a particular application or service inside of an assume-breached network.\u00a0 This substantially reduces the attack surface of the application or service by <\/span><span style=\"font-family: verdana, geneva; font-size: small;\">configuring a highly customized, application specific environment, by limiting user access and by having \u201cJust Enough\u201d administrative control with full auditing.<\/span><\/p>\n<p style=\"text-align: left;\"><span style=\"font-family: verdana, geneva; font-size: small;\">Below is a sample environment called Safeharbor.\u00a0 Safeharbor is an isolated environment for critical information that limits access to the resources. This is accomplished by:<\/span><\/p>\n<p style=\"text-align: left;\"><span style=\"font-family: verdana, geneva; font-size: small;\">\u2022\u00a0Policies to clearly define User access and actions on the resources<\/span>\n<span style=\"font-family: verdana, geneva; font-size: small;\">\u2022\u00a0Separate isolated domain constraining access to the resources<\/span>\n<span style=\"font-family: verdana, geneva; font-size: small;\">\u2022\u00a0Limited &amp; relevant access to users<\/span>\n<span style=\"font-family: verdana, geneva; font-size: small;\">\u2022\u00a0Auditing access to protected data, changes to user permissions and setting up alerts on access.<\/span><\/p>\n<p style=\"text-align: left;\"><span style=\"font-family: verdana, geneva; font-size: small;\">We will walk you through an implementation of the Safeharbor environment using PowerShell Desired State Configuration (DSC) and PowerShell Constrained Endpoints.<\/span><\/p>\n<p style=\"text-align: left;\"><span style=\"font-family: verdana, geneva; font-size: small;\"><strong>The key elements of creating a secure environment are:<\/strong><\/span><\/p>\n<ul style=\"text-align: left;\">\n<li><span style=\"font-family: verdana, geneva; font-size: small;\"><a href=\"http:\/\/blogs.msdn.com\/b\/powershell\/archive\/2008\/05\/10\/remoting-with-powershell-quickstart.aspx\">PowerShell Remoting<\/a><\/span><\/li>\n<li><span style=\"font-family: verdana, geneva; font-size: small;\"><a href=\"http:\/\/blogs.technet.com\/b\/heyscriptingguy\/archive\/2014\/04\/02\/build-constrained-powershell-endpoint-using-configuration-file.aspx\">Constrained PowerShell Endpoints<\/a><\/span><\/li>\n<li><span style=\"font-family: verdana, geneva; font-size: small;\"><a href=\"http:\/\/blogs.msdn.com\/b\/powershell\/archive\/tags\/dsc\/\">Desired State Configuration<\/a> (DSC)<\/span><\/li>\n<li><span style=\"font-family: verdana, geneva; font-size: small;\"><a href=\"http:\/\/blogs.msdn.com\/b\/powershell\/archive\/2013\/11\/21\/powershell-dsc-resource-for-configuring-pull-server-environment.aspx\">DSC Pull Server<\/a><\/span><\/li>\n<li><span style=\"font-family: verdana, geneva; font-size: small;\"><a href=\"http:\/\/blogs.msdn.com\/b\/powershell\/archive\/2014\/01\/31\/want-to-secure-credentials-in-windows-powershell-desired-state-configuration.aspx\">Securing credentials in DSC<\/a><\/span><\/li>\n<li><span style=\"font-family: verdana, geneva; font-size: small;\"><a href=\"http:\/\/blogs.msdn.com\/b\/powershell\/archive\/2014\/06\/06\/dsc-resource-kit-wave-4-is-live.aspx\">DSC Resource Kit<\/a><\/span><\/li>\n<li><span style=\"font-family: verdana, geneva; font-size: small;\"><a href=\"http:\/\/blogs.technet.com\/b\/privatecloud\/archive\/2014\/05\/14\/just-enough-administration-step-by-step.aspx\">Just Enough Administration<\/a> (JEA)<\/span><\/li>\n<li><span style=\"font-family: verdana, geneva; font-size: small;\">Networking, DHCP, DNS, Windows Active Directory, SMB Share concepts<\/span><\/li>\n<\/ul>\n<div style=\"text-align: left;\">\n<p style=\"text-align: left;\"><span style=\"font-family: verdana, geneva; font-size: small;\"><strong>Lab Configuration:<\/strong><\/span><\/p>\n<p><span style=\"font-family: verdana, geneva; font-size: small;\">This blog is focused on creating a lab environment to explore the creation and operation of Secure Environments using PowerShell DSC. We first use DSC to create a \u201cCorporate\u201d domain for the lab. <\/span>\n<span style=\"font-family: verdana, geneva; font-size: small;\">In the real world, you\u2019ll skip this step and use your existing domain. We then assume that this environment has been breached. Of course you would route out and address the breach and secure the environment to avoid further breaches. <\/span>\n<span style=\"font-family: verdana, geneva; font-size: small;\">But in an \u201cassume-breach\u201d approach, you recognize that you need to invest and put your most valuable assets, in this case, the corporate data stored on file servers, into a Secure Environment.<\/span><\/p>\n<p><span style=\"font-family: verdana, geneva; font-size: small;\">The first step for this lab is to setup a \u201cCorporate\u201d domain with a Domain Controller, Domain Administrator, Domain Users and a user to perform admin tasks in the domain (Person Authorized to perform Administrative tasks \u2013 PAPA).<\/span><\/p>\n<p>&nbsp;<\/p>\n<p style=\"text-align: left;\"><span style=\"font-size: small; font-family: verdana, geneva;\"><strong>Corporate Environment:<\/strong><\/span><\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/0726.Corporate.jpg\"><img decoding=\"async\" class=\"alignnone size-full wp-image-20284\" src=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/0726.Corporate.jpg\" alt=\"Image 0726 Corporate\" width=\"640\" height=\"360\" srcset=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/0726.Corporate.jpg 640w, https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/0726.Corporate-300x169.jpg 300w\" sizes=\"(max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p style=\"text-align: left;\"><span style=\"font-family: verdana, geneva; font-size: small;\">Below is the configuration to provision the lab\u2019s Corporate domain controller using DSC.<\/span><\/p>\n<p style=\"text-align: left;\"><span style=\"font-family: verdana, geneva; font-size: small;\"><strong>Highlights of the configuration:<\/strong><\/span>\n<span style=\"font-family: verdana, geneva; font-size: small;\">\u2022 Setup and Promote the machine to be a DC using the <a href=\"http:\/\/gallery.technet.microsoft.com\/scriptcenter\/xActiveDirectory-f2d573f3\">xADDomain <\/a>resource<\/span>\n<span style=\"font-family: verdana, geneva; font-size: small;\">\u2022 <a href=\"http:\/\/blogs.msdn.com\/b\/powershell\/archive\/2014\/01\/31\/want-to-secure-credentials-in-windows-powershell-desired-state-configuration.aspx\">Credentials are securely handled using certificates and Secure string in DSC<\/a><\/span>\n<span style=\"font-family: verdana, geneva; font-size: small;\">\u2022 <a href=\"http:\/\/technet.microsoft.com\/en-us\/library\/cc781340(v=ws.10).aspx\">DNS zone transfer<\/a> is configured to allow replication of DNS databases across other DNS Servers (This will be explained later when the secure domain is stood-up)<\/span>\n<span style=\"font-family: verdana, geneva; font-size: small;\">\u2022 Domain users are added using the <a href=\"http:\/\/gallery.technet.microsoft.com\/scriptcenter\/xActiveDirectory-f2d573f3\">xADUser<\/a> resource\n\u2022 Config uses a component to synchronize the execution of operations between the DSC managed nodes.\u00a0The Synchronization component is primarily used for the configuration agent on the local machine to capture the state of the remote DSC supported machine and to sequence the execution of its configuration resources locally<\/span><\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/1638.DCConfig.jpg\"><img decoding=\"async\" class=\"alignnone size-full wp-image-20285\" src=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/1638.DCConfig.jpg\" alt=\"Image 1638 DCConfig\" width=\"789\" height=\"1406\" srcset=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/1638.DCConfig.jpg 789w, https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/1638.DCConfig-168x300.jpg 168w, https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/1638.DCConfig-575x1024.jpg 575w, https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/1638.DCConfig-768x1369.jpg 768w\" sizes=\"(max-width: 789px) 100vw, 789px\" \/><\/a><\/p>\n<p style=\"text-align: left;\"><span style=\"font-family: verdana, geneva; font-size: small;\">The configuration data for Corporate DC contains User configuration such as credentials, in a secure file.\u00a0<\/span><\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/3122.DCConfigData.jpg\"><img decoding=\"async\" class=\"alignnone size-full wp-image-20286\" src=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/3122.DCConfigData.jpg\" alt=\"Image 3122 DCConfigData\" width=\"720\" height=\"376\" srcset=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/3122.DCConfigData.jpg 720w, https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/3122.DCConfigData-300x157.jpg 300w\" sizes=\"(max-width: 720px) 100vw, 720px\" \/><\/a><\/p>\n<p style=\"text-align: left;\"><span style=\"font-family: verdana, geneva; font-size: small;\">A Client machine \u201cCorpClient\u201d is provisioned in the Corporate domain and the user to perform administrative tasks is added to the Administrator group.\u00a0<\/span><\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/3681.CorpClientConfig.jpg\"><img decoding=\"async\" class=\"alignnone size-full wp-image-20287\" src=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/3681.CorpClientConfig.jpg\" alt=\"Image 3681 CorpClientConfig\" width=\"763\" height=\"669\" srcset=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/3681.CorpClientConfig.jpg 763w, https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/3681.CorpClientConfig-300x263.jpg 300w\" sizes=\"(max-width: 763px) 100vw, 763px\" \/><\/a><\/p>\n<p style=\"text-align: left;\"><span style=\"font-size: small; font-family: verdana, geneva;\">This lab takes an \u201cassume-breach\u201d attitude so we are going to assume that the Corporate domain we just created is compromised and that IT Dept needs to create a\u00a0secure environment for the critical data on the File Servers. A new Safeharbor domain is quickly stood-up, with a domain controller, Management head server constraining access to critical resources and a DSC Pull Server containing the configuration for the workload specific nodes such as File Servers. File Servers are then provisioned using boot-to-pull server mechanism.<\/span><\/p>\n<p><span style=\"font-family: verdana, geneva; font-size: small;\">By locking down the access to the resources using the isolated Safeharbor domain, we can mitigate threats originating internally from the domain.<\/span><\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/2287.SafeharborEmpty.jpg\"><img decoding=\"async\" class=\"alignnone size-full wp-image-20288\" src=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/2287.SafeharborEmpty.jpg\" alt=\"Image 2287 SafeharborEmpty\" width=\"640\" height=\"360\" srcset=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/2287.SafeharborEmpty.jpg 640w, https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/2287.SafeharborEmpty-300x169.jpg 300w\" sizes=\"(max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p style=\"text-align: left;\"><span style=\"font-family: verdana, geneva; font-size: small;\"><strong>Safeharbor Environment:<\/strong><\/span><\/p>\n<p><span style=\"font-family: verdana, geneva; font-size: small;\">The plan to secure and lockdown access to the workload servers is following. We will explain each step of the process and go over the associated Configuration.<\/span><\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/8054.SafeharborPlan.jpg\"><img decoding=\"async\" class=\"alignnone size-full wp-image-20289\" src=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/8054.SafeharborPlan.jpg\" alt=\"Image 8054 SafeharborPlan\" width=\"640\" height=\"360\" srcset=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/8054.SafeharborPlan.jpg 640w, https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/8054.SafeharborPlan-300x169.jpg 300w\" sizes=\"(max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p style=\"text-align: left;\"><span style=\"font-family: verdana, geneva; font-size: small;\">There are three users across domains that are of interest.<\/span>\n<span style=\"font-family: verdana, geneva; font-size: small;\">1) <strong>Corporate\\PAPA<\/strong> \u2013 User in the corporate domain authorized to perform admin tasks. This is the only user from the Corporate domain allowed access to the JEA box.<\/span>\n<span style=\"font-family: verdana, geneva; font-size: small;\">2) <strong>Corporate\\User<\/strong> \u2013 A general domain user of Corporate for whom we grant specific fileshare access (explained later)<\/span>\n<span style=\"font-family: verdana, geneva; font-size: small;\">3) <strong>Safeharbor\\MATA<\/strong> \u2013 Non-admin domain user in Safeharbor &#8211; management account for trusted action\u201d &#8211; RunAs on endpoint. This user has no other access in either domain.<\/span><\/p>\n<p><span style=\"font-family: verdana, geneva; font-size: small;\"><strong>Safeharbor Domain Controller and Pull Server:<\/strong><\/span><\/p>\n<p><span style=\"font-family: verdana, geneva; font-size: small;\">The first step is to bring up the Safeharbor domain controller.<\/span><\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/1462.SafeharborDCPullServer.jpg\"><img decoding=\"async\" class=\"alignnone size-full wp-image-20290\" src=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/1462.SafeharborDCPullServer.jpg\" alt=\"Image 1462 SafeharborDCPullServer\" width=\"640\" height=\"360\" srcset=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/1462.SafeharborDCPullServer.jpg 640w, https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/1462.SafeharborDCPullServer-300x169.jpg 300w\" sizes=\"(max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p style=\"text-align: left;\"><span style=\"font-size: small; font-family: verdana, geneva;\">The same configuration which was used to setup the Corporate DC (see previous section) is used here. However the manifest data is different. Apart from using secure way of managing credentials, the key take away here is that we create a new domain user MATA (Management Account for Trusted Action). This is a non-admin user which is restricted to be used only on the workload File Servers to perform specific actions. There is also a one-way trust established to the Corporate domain to enable authenticating users from the Corporate domain.<\/span><\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/2860.SafeharborDCConfigData.jpg\"><img decoding=\"async\" class=\"alignnone size-full wp-image-20291\" src=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/2860.SafeharborDCConfigData.jpg\" alt=\"Image 2860 SafeharborDCConfigData\" width=\"748\" height=\"328\" srcset=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/2860.SafeharborDCConfigData.jpg 748w, https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/2860.SafeharborDCConfigData-300x132.jpg 300w\" sizes=\"(max-width: 748px) 100vw, 748px\" \/><\/a><\/p>\n<p style=\"text-align: left;\"><span style=\"font-size: small; font-family: verdana, geneva;\">Next, a DSC Pull Server is provisioned with all local admin accounts disabled and the Pull Server is joined to the Safeharbor domain using the xComputer resource. This is a HTTPS based Pull Server containing configuration for the workload File Servers. The workload servers, upon boot, will pull their state from this server for configuration.<\/span><\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/6874.PullServerConfig.jpg\"><img decoding=\"async\" class=\"alignnone size-full wp-image-20292\" src=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/6874.PullServerConfig.jpg\" alt=\"Image 6874 PullServerConfig\" width=\"735\" height=\"776\" srcset=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/6874.PullServerConfig.jpg 735w, https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/6874.PullServerConfig-284x300.jpg 284w, https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/6874.PullServerConfig-24x24.jpg 24w\" sizes=\"(max-width: 735px) 100vw, 735px\" \/><\/a><\/p>\n<p style=\"text-align: left;\"><span style=\"font-family: verdana, geneva; font-size: small;\">The Pull Server configuration data contains the Certificate information for SSL binding and the path for the config and modules for the workload servers.<\/span><\/p>\n<p style=\"text-align: left;\"><a href=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/6574.SafeharborPullServerConfigData.jpg\"><img decoding=\"async\" class=\"alignnone size-full wp-image-20293\" src=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/6574.SafeharborPullServerConfigData.jpg\" alt=\"Image 6574 SafeharborPullServerConfigData\" width=\"736\" height=\"179\" srcset=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/6574.SafeharborPullServerConfigData.jpg 736w, https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/6574.SafeharborPullServerConfigData-300x73.jpg 300w\" sizes=\"(max-width: 736px) 100vw, 736px\" \/><\/a><\/p>\n<p style=\"text-align: left;\"><span style=\"font-family: verdana, geneva; font-size: small;\"><strong>JEA Management Server:<\/strong><\/span><\/p>\n<p><span style=\"font-size: small; font-family: verdana, geneva;\">A JEA (Just Enough Admin) enabled Management Server is setup with a constrained PowerShell endpoint. This endpoint allows access to only user from Corporate domain that can perform admin actions (PAPA). This is done to restrict the access to the workload file servers.For security reasons the Administrator\u2019s Role is disabled in the Safeharbor domain. <\/span>\n<span style=\"font-family: verdana, geneva; font-size: small;\">Safeharbor domain user MATA is configured as the RunAs user on the constrained endpoint.<\/span><\/p>\n<p style=\"text-align: left;\"><span style=\"font-family: verdana, geneva; font-size: small;\">Here is the configuration for the Management Server. xPSEndpoint resource is used to setup the constrained PowerShell endpoint. All local admins are disabled to restrict access to the machine.<\/span><\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/7870.MgmtServerConfig.jpg\"><img decoding=\"async\" class=\"alignnone size-full wp-image-20294\" src=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/7870.MgmtServerConfig.jpg\" alt=\"Image 7870 MgmtServerConfig\" width=\"741\" height=\"664\" srcset=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/7870.MgmtServerConfig.jpg 741w, https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/7870.MgmtServerConfig-300x269.jpg 300w\" sizes=\"(max-width: 741px) 100vw, 741px\" \/><\/a><\/p>\n<p style=\"text-align: left;\"><span style=\"font-family: verdana, geneva; font-size: small;\">The configuration data is as follows. The SDDL config for the endpoint grants access to Corporate\\PAPA only. Also, all credentials are handled securely.<\/span><\/p>\n<p><span style=\"font-size: small; font-family: verdana, geneva;\">\u00a0$ADUserSid is the SID of the user in Corporate Domain that is designated to perform Admin tasks (Corporate\\PAPA). User -&gt; Sid lookup is performed and the SDDL updated prior to configuring the constrained endpoint.<\/span><\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/0508.SafeharborMgmtServerConfigData.jpg\"><img decoding=\"async\" class=\"alignnone size-full wp-image-20295\" src=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/0508.SafeharborMgmtServerConfigData.jpg\" alt=\"Image 0508 SafeharborMgmtServerConfigData\" width=\"1062\" height=\"186\" srcset=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/0508.SafeharborMgmtServerConfigData.jpg 1062w, https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/0508.SafeharborMgmtServerConfigData-300x53.jpg 300w, https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/0508.SafeharborMgmtServerConfigData-1024x179.jpg 1024w, https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/0508.SafeharborMgmtServerConfigData-768x135.jpg 768w\" sizes=\"(max-width: 1062px) 100vw, 1062px\" \/><\/a><\/p>\n<p style=\"text-align: left;\"><span style=\"font-size: small; font-family: verdana, geneva;\">A startup script on the endpoint exposes only a relevant set of functionality to the incoming user. In this case, Corporate\\PAPA is allowed access to the proxy equivalent of smbshare cmdlets to Create\/Retrieve\/Remove shares on the workload file servers.<\/span><\/p>\n<p style=\"text-align: left;\"><a href=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/1325.StartupScript.jpg\"><img decoding=\"async\" class=\"alignnone size-full wp-image-20296\" src=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/1325.StartupScript.jpg\" alt=\"Image 1325 StartupScript\" width=\"904\" height=\"583\" srcset=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/1325.StartupScript.jpg 904w, https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/1325.StartupScript-300x193.jpg 300w, https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/1325.StartupScript-768x495.jpg 768w\" sizes=\"(max-width: 904px) 100vw, 904px\" \/><\/a><\/p>\n<p style=\"text-align: left;\"><span style=\"font-family: verdana, geneva; font-size: small;\">Proxyfunction for smbshare cmdlets to restrict the functionality:<\/span><\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/0250.MgmtServerProxyFunction.jpg\"><img decoding=\"async\" class=\"alignnone size-full wp-image-20297\" src=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/0250.MgmtServerProxyFunction.jpg\" alt=\"Image 0250 MgmtServerProxyFunction\" width=\"625\" height=\"246\" srcset=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/0250.MgmtServerProxyFunction.jpg 625w, https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/0250.MgmtServerProxyFunction-300x118.jpg 300w\" sizes=\"(max-width: 625px) 100vw, 625px\" \/><\/a><\/p>\n<p style=\"text-align: left;\"><span style=\"font-size: small; font-family: verdana, geneva;\">The proxy cmdlets use a Permission.csv file to map users-resources-access permissions. In this sample, Corporate\\User1 will be allowed to access the named shares on the file server. This is configured during creating a new smbshare on the fileserver, when Corporate\\PAPA connects to the constrained endpoint.<\/span><\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/1526.MgmtServerPermissionCSV.jpg\"><img decoding=\"async\" class=\"alignnone size-full wp-image-20298\" src=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/1526.MgmtServerPermissionCSV.jpg\" alt=\"Image 1526 MgmtServerPermissionCSV\" width=\"656\" height=\"163\" srcset=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/1526.MgmtServerPermissionCSV.jpg 656w, https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/1526.MgmtServerPermissionCSV-300x75.jpg 300w\" sizes=\"(max-width: 656px) 100vw, 656px\" \/><\/a><\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/6433.SafeharborMgmtServer.jpg\"><img decoding=\"async\" class=\"alignnone size-full wp-image-20299\" src=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/6433.SafeharborMgmtServer.jpg\" alt=\"Image 6433 SafeharborMgmtServer\" width=\"640\" height=\"360\" srcset=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/6433.SafeharborMgmtServer.jpg 640w, https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/6433.SafeharborMgmtServer-300x169.jpg 300w\" sizes=\"(max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p style=\"text-align: left;\"><span style=\"font-family: verdana, geneva; font-size: small;\"><strong>Workload Servers:<\/strong><\/span>\n<span style=\"font-size: small; font-family: verdana, geneva;\">In the final step the workload file servers are added securely. DSC Metaconfiguration on these servers is configured such that they pull their configuration from the DSC Pull Server. Also, the file servers are locked down by removing built-in firewall rules and allowing only specific traffic.<\/span><\/p>\n<p><span style=\"font-family: verdana, geneva; font-size: small;\">All local admins are disabled and the Safeharbor domain account MATA (Management Account for Trusted Action) is granted admin rights on the machine to perform creating\/removal of smbshares.<\/span><\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/2045.FileServerConfig.jpg\"><img decoding=\"async\" class=\"alignnone size-full wp-image-20300\" src=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/2045.FileServerConfig.jpg\" alt=\"Image 2045 FileServerConfig\" width=\"783\" height=\"1681\" srcset=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/2045.FileServerConfig.jpg 783w, https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/2045.FileServerConfig-140x300.jpg 140w, https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/2045.FileServerConfig-477x1024.jpg 477w, https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/2045.FileServerConfig-768x1649.jpg 768w, https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/2045.FileServerConfig-715x1536.jpg 715w\" sizes=\"(max-width: 783px) 100vw, 783px\" \/><\/a><\/p>\n<p style=\"text-align: left;\"><span style=\"font-family: verdana, geneva; font-size: small;\">Here is a snippet of the configuration data used on the fileserver. Only smb and powershell remoting traffic is allowed and all other ports and rules are locked down. This ensures that the workload servers are secured completely.<\/span><\/p>\n<p style=\"text-align: left;\"><a href=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/4263.SafeharborFileServerConfigData1.jpg\"><img decoding=\"async\" class=\"alignnone size-full wp-image-20301\" src=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/4263.SafeharborFileServerConfigData1.jpg\" alt=\"Image 4263 SafeharborFileServerConfigData1\" width=\"972\" height=\"354\" srcset=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/4263.SafeharborFileServerConfigData1.jpg 972w, https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/4263.SafeharborFileServerConfigData1-300x109.jpg 300w, https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/4263.SafeharborFileServerConfigData1-768x280.jpg 768w\" sizes=\"(max-width: 972px) 100vw, 972px\" \/><\/a><\/p>\n<p style=\"text-align: left;\"><span style=\"font-family: verdana, geneva; font-size: small; text-align: justify;\">&#8230;<\/span><\/p>\n<p style=\"text-align: left;\"><span style=\"font-family: verdana, geneva; font-size: small;\">&#8230;<\/span><\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/0216.SafeharborFileServerConfigData2.jpg\"><img decoding=\"async\" class=\"alignnone size-full wp-image-20302\" src=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/0216.SafeharborFileServerConfigData2.jpg\" alt=\"Image 0216 SafeharborFileServerConfigData2\" width=\"676\" height=\"500\" srcset=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/0216.SafeharborFileServerConfigData2.jpg 676w, https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/0216.SafeharborFileServerConfigData2-300x222.jpg 300w\" sizes=\"(max-width: 676px) 100vw, 676px\" \/><\/a><\/p>\n<p style=\"text-align: left;\"><span style=\"font-family: verdana, geneva; font-size: small;\">Here is the final topology. The new Safeharbor domain protects and secures the corporate data and allows access to users on shares configured as per policy.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p style=\"text-align: left;\"><span style=\"font-family: verdana, geneva; font-size: small;\"><strong>Final Topology:<\/strong><\/span><\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/0815.SafeharborFinalTopology.jpg\"><img decoding=\"async\" class=\"alignnone size-full wp-image-20303\" src=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/0815.SafeharborFinalTopology.jpg\" alt=\"Image 0815 SafeharborFinalTopology\" width=\"640\" height=\"360\" srcset=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/0815.SafeharborFinalTopology.jpg 640w, https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/0815.SafeharborFinalTopology-300x169.jpg 300w\" sizes=\"(max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p style=\"text-align: left;\"><span style=\"font-family: verdana, geneva; font-size: small;\">Safeharbor demo can be deployed on a Hyper-V capable machine using the <a href=\"http:\/\/gallery.technet.microsoft.com\/scriptcenter\/xSafeHarbor-Module-bd705379\">Assert-SafeharborScenario.ps1<\/a> script.<\/span><\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/0844.Assert-SafeharborScenario.jpg\"><img decoding=\"async\" class=\"alignnone size-full wp-image-20304\" src=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/0844.Assert-SafeharborScenario.jpg\" alt=\"Image 0844 Assert SafeharborScenario\" width=\"1514\" height=\"55\" srcset=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/0844.Assert-SafeharborScenario.jpg 1514w, https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/0844.Assert-SafeharborScenario-300x11.jpg 300w, https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/0844.Assert-SafeharborScenario-1024x37.jpg 1024w, https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/0844.Assert-SafeharborScenario-768x28.jpg 768w\" sizes=\"(max-width: 1514px) 100vw, 1514px\" \/><\/a><\/p>\n<p style=\"text-align: left;\"><span style=\"font-family: verdana, geneva; font-size: small;\"><strong>Validation:<\/strong><\/span>\n<span style=\"font-family: verdana, geneva; font-size: small;\">Once the Safeharbor environment is setup, we can validate the configuration by:<\/span>\n<span style=\"font-family: verdana, geneva; font-size: small;\">\u2022 Creating a new smbshare on the File Server<\/span>\n<span style=\"font-family: verdana, geneva; font-size: small;\">\u2022 Accessing the Share<\/span><\/p>\n<p><span style=\"font-family: verdana, geneva; font-size: small;\"><strong>Create new share on the File Server:<\/strong><\/span>\n<span style=\"font-family: verdana, geneva; font-size: small;\">\u2022 Create a new session to JEA Jump Box at the contrained PSSession endpoint<\/span>\n<span style=\"font-family: verdana, geneva; font-size: small;\">\u00a0 \u00a0 \u00a0 \u00a0 \u2022 Validate that only Corporate\\PAPA can connect to this endpoint<\/span>\n<span style=\"font-family: verdana, geneva; font-size: small;\">\u2022 Enumerate the available commands to Corporate\\PAPA<\/span>\n<span style=\"font-family: verdana, geneva; font-size: small;\">\u2022 Create a New-SMBShare on the File Server<\/span><\/p>\n<p style=\"text-align: left;\"><span style=\"font-family: verdana, geneva; font-size: small;\">Note that the smbshare names and permissions are limited by the configuration supplied in Permission.csv (previous section)<\/span><\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/6765.ValidationCreateSMBShare1.jpg\"><img decoding=\"async\" class=\"alignnone size-full wp-image-20305\" src=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/6765.ValidationCreateSMBShare1.jpg\" alt=\"Image 6765 ValidationCreateSMBShare1\" width=\"1349\" height=\"303\" srcset=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/6765.ValidationCreateSMBShare1.jpg 1349w, https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/6765.ValidationCreateSMBShare1-300x67.jpg 300w, https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/6765.ValidationCreateSMBShare1-1024x230.jpg 1024w, https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/6765.ValidationCreateSMBShare1-768x173.jpg 768w\" sizes=\"(max-width: 1349px) 100vw, 1349px\" \/><\/a><\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/1581.ValidationCreateSMBShare2.jpg\"><img decoding=\"async\" class=\"alignnone size-full wp-image-20306\" src=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/1581.ValidationCreateSMBShare2.jpg\" alt=\"Image 1581 ValidationCreateSMBShare2\" width=\"1536\" height=\"155\" srcset=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/1581.ValidationCreateSMBShare2.jpg 1536w, https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/1581.ValidationCreateSMBShare2-300x30.jpg 300w, https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/1581.ValidationCreateSMBShare2-1024x103.jpg 1024w, https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/1581.ValidationCreateSMBShare2-768x78.jpg 768w\" sizes=\"(max-width: 1536px) 100vw, 1536px\" \/><\/a><\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/2766.ValidationCreateSMBShare3.jpg\"><img decoding=\"async\" class=\"alignnone size-full wp-image-20307\" src=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/2766.ValidationCreateSMBShare3.jpg\" alt=\"Image 2766 ValidationCreateSMBShare3\" width=\"962\" height=\"117\" srcset=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/2766.ValidationCreateSMBShare3.jpg 962w, https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/2766.ValidationCreateSMBShare3-300x36.jpg 300w, https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/2766.ValidationCreateSMBShare3-768x93.jpg 768w\" sizes=\"(max-width: 962px) 100vw, 962px\" \/><\/a><\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/2772.ValidationCreateSMBShare4.jpg\"><img decoding=\"async\" class=\"alignnone size-full wp-image-20308\" src=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/2772.ValidationCreateSMBShare4.jpg\" alt=\"Image 2772 ValidationCreateSMBShare4\" width=\"1533\" height=\"147\" srcset=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/2772.ValidationCreateSMBShare4.jpg 1533w, https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/2772.ValidationCreateSMBShare4-300x29.jpg 300w, https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/2772.ValidationCreateSMBShare4-1024x98.jpg 1024w, https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/2772.ValidationCreateSMBShare4-768x74.jpg 768w\" sizes=\"(max-width: 1533px) 100vw, 1533px\" \/><\/a><\/p>\n<p style=\"text-align: left;\"><span style=\"font-family: verdana, geneva; font-size: small;\"><strong>Accessing files on the File Server as Corporate\\User1:<\/strong><\/span>\n<span style=\"font-family: verdana, geneva; font-size: small;\">\u2022 Only the Share authorized in the Permission.CSV file is accessible to this user <\/span>\n<span style=\"font-family: verdana, geneva; font-size: small;\">\u2022 User can only \u201cRead\u201d share contents<\/span><\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/6378.ValidationAccessFileShare1.jpg\"><img decoding=\"async\" class=\"alignnone size-full wp-image-20309\" src=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/6378.ValidationAccessFileShare1.jpg\" alt=\"Image 6378 ValidationAccessFileShare1\" width=\"527\" height=\"287\" srcset=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/6378.ValidationAccessFileShare1.jpg 527w, https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/6378.ValidationAccessFileShare1-300x163.jpg 300w\" sizes=\"(max-width: 527px) 100vw, 527px\" \/><\/a><\/p>\n<p style=\"text-align: left;\"><span style=\"font-family: verdana, geneva; font-size: small;\">Further, any user (other than PAPA) in Corporate domain cannot create new SMB shares:<\/span><\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/2311.ValidationAccessFileShare2.jpg\"><img decoding=\"async\" class=\"alignnone size-full wp-image-20310\" src=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/2311.ValidationAccessFileShare2.jpg\" alt=\"Image 2311 ValidationAccessFileShare2\" width=\"1192\" height=\"172\" srcset=\"https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/2311.ValidationAccessFileShare2.jpg 1192w, https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/2311.ValidationAccessFileShare2-300x43.jpg 300w, https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/2311.ValidationAccessFileShare2-1024x148.jpg 1024w, https:\/\/devblogs.microsoft.com\/powershell\/wp-content\/uploads\/sites\/30\/2014\/07\/2311.ValidationAccessFileShare2-768x111.jpg 768w\" sizes=\"(max-width: 1192px) 100vw, 1192px\" \/><\/a><\/p>\n<p style=\"text-align: left;\"><span style=\"font-family: verdana, geneva; font-size: small;\"><strong>Updates\/Enhancements:<\/strong><\/span>\n<span style=\"font-family: verdana, geneva; font-size: small;\">The concept of JEA and constraining access to resources using Safeharbor in this sample can be further improved in your environment by:<\/span><\/p>\n<p><span style=\"font-family: verdana, geneva; font-size: small;\">\u2022 Remove domain from the isolated Safeharbor environment<\/span>\n<span style=\"font-family: verdana, geneva; font-size: small;\">\u2022 Remove trust between the two domains<\/span>\n<span style=\"font-family: verdana, geneva; font-size: small;\">\u2022 Limit all access to the Safeharbor environment through the Jump Box<\/span>\n<span style=\"font-family: verdana, geneva; font-size: small;\">\u2022 Audits, alerts for changes to the environment, resources and user permissions\u00a0<\/span><\/p>\n<div style=\"text-align: left;\"><\/div>\n<h3 style=\"text-align: left;\"><span style=\"font-family: verdana, geneva; font-size: small;\"><a href=\"http:\/\/gallery.technet.microsoft.com\/scriptcenter\/xSafeHarbor-Module-bd705379\">Download Safeharbor Environment sample code and powerpoint from the technet gallery<\/a><\/span><\/h3>\n<p>&nbsp;<\/p>\n<p style=\"text-align: left;\">\n<p style=\"text-align: left;\"><span style=\"font-size: small; font-family: verdana, geneva;\">Raghu Shantha [MSFT]\nPowerShell Desired State Configuration Team<\/span><\/p>\n<p style=\"text-align: left;\">\n<p style=\"text-align: left;\">\n<p style=\"text-align: left;\">\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Introduction: Traditionally, IT environments have secured their business critical information against external threats by adding additional layers of security to the org\u2019s network (e.g. firewalls, DMZs, etc.).\u00a0 However many of today\u2019s attacks are coming from inside the network so a new \u201cassume breach\u201d approach must be adopted. In this blog, we show how to create [&hellip;]<\/p>\n","protected":false},"author":600,"featured_media":13641,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[141,142,150,152,248,251,8,344,345,348],"class_list":["post-1611","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-powershell","tag-demos","tag-desired-state-configuration","tag-dsc","tag-dsc-resource-kit","tag-powershell","tag-powershell-4-0","tag-remoting","tag-windows-management-framework","tag-windows-powershell-4-0","tag-windows-powershell-desired-state-configuration"],"acf":[],"blog_post_summary":"<p>Introduction: Traditionally, IT environments have secured their business critical information against external threats by adding additional layers of security to the org\u2019s network (e.g. firewalls, DMZs, etc.).\u00a0 However many of today\u2019s attacks are coming from inside the network so a new \u201cassume breach\u201d approach must be adopted. In this blog, we show how to create [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/posts\/1611","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/users\/600"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/comments?post=1611"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/posts\/1611\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/media\/13641"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/media?parent=1611"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/categories?post=1611"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/tags?post=1611"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}