1) With the release of W2K12 R2 and Win8.1 RSAT, what is the MS recommended method for implementing a RBA (Role Based Administration) model for 3rd level server support staff?
2) How can you limit the RSAT features depending on security group membership?
3) Ditto for Powershell cmdlets within this new RSAT per support team or level (e.g. Lev1, 2 & 3)?
4) Within a W2K12/Win8 environment, how can you reduce the number of local administrators (i.e. improve security), when both WinRM and CIM/WMI require local admin rights on the source and target computers for a successful bind connection?
** Reference URL's would be greatly appreciated :-)
ComsoSaturday, September 14, 2013 10:50 PM
I did some research about RBA but it seems currently there is still no related article published on internet for Windows Server 2012 or 2012 R2. I could find articles for Windows 2008 R2 but it may not meet your purpose.
TechNet Subscriber Support in forum |If you have any feedback on our support, please contact firstname.lastname@example.org.Tuesday, September 17, 2013 8:50 AM
Thank you for your investigation -> I also have spent many hours scanning the internet for the official Microsoft W2K12 R2/Win8.1 RBA recommended model, but no luck :-(
Question #1 for MS. Does this mean that they recommend all 3rd level server support staff having full access to every Win8.1 RSAT tool?
Question #2 for MS: The alternate RBA model is to use PowerShell's WinRM's 'Delegated Endpoint' functionality, but that is going back to the 1980's (i.e. DOS/Unix -> command line interface) to manage an enterprise, which I don't want to go back to (why make life hard for yourself, when there is no need to?). Plus, setting up and troubleshooting WinRM https session looks like a nightmare..... More on this topic can be obtained from page 18 (onwards) of the Don Jones ‘Secrets of PowerShell Remoting’ ebook http://powershell.org/wp/books/secrets-of-powershell-remoting-free/
Plus, WinRM requires you to have local admin rights on the source and target computers -> where is the 'Least Privilege model' here?? That means, all 3rd level staff will require Domain Admin rights, which goes back to NT4 days...
BrettTuesday, September 17, 2013 9:54 PM
You should take a look at System Frontier. It allows you to use a very flexible RBAC model for remote server administration. Your 3rd level support staff can do all their tasks from a simple web interface with no extra login.
Users don't have to have any admin rights on the actual servers and you can delegate rights to run any PowerShell cmdlet that can target a remote system. It also works for W2K3, W2K8 as well as W2K12.Saturday, October 19, 2013 2:33 PM