IT-Artikelen

Azure Automation - Use Secret Key in Azure KeyVault to Perform Local Admin Tasks

000 (azure logo)

 

 

In this tutorial we're going to create an Secret Key in Azure.

The result is that we can perform Admin Tasks, as an non-admin user on a Windows 10 pc, as non-admin user.

 

What I'm going to cover is:


- Create an Local Admin Account
- Pre-Run commands so we are Azure Prepared
- Set the Powershell TLS security
- Create an Azure Secret Key Vault
- Deploy an Powershell Script as System for non-admin users to run in a scheduled task.
- Learn how to configure the permissions for the Azure Secret (screenshots in dutch, my appologies).
- Run the Automation Script, and Execute compmgmt.msc as Admin as a normal user. As you might guess, you can deploy and perform any task.

In this scenario I'm going to assume were on Windows 10 / Server 2016, got an Azure Subscription and users are not Admin by default.

 

On Premise Config

 

First

Make a Domain Local - Security Group for Local Admins: Local-Admin-DL-SG

Add a user 'localadmin' and add it to the Above Group.

 

Next we're going to create a GPO for Local Admins.

001 (1)

 

Go to Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups > Right Click and Add Group.

001 (2)

 

Click Browse en Search Administrators in the Domain.

 

001 (3)

 

001 (4)

Click OK and Add > Members of this Group and Add > Local-Admin-DL-SG by searching the domain.

 

001 (5)

 

001 (7)

 

As Authenticated Users are allready in the Scope > Go to Delegation > Advanced > Add > Select Group: Domain Computers and give them Read Access.

 

001 (8)

 

Next Create a Security Group > Global Security > DENIED ACCESS

This group will be made primary on the user who'll get access to the Azure Key Vault.

We will be removing the Group Domain Users - after we've set the Primary Group to DENIED ACCESS.

 

001 (8a Create Security Group)

 

 

 

001 (8b Add User to No Access to Domain Group)

 

## SCRIPT Prequisities Admin

 

# RunAs Administrator

$PSGalleryCheck = Get-PSRepository
if ($PSGalleryCheck.Name -ne "PSGallery") {
write-host "Failure"
} else {
write-host "OK"
Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
}
Uninstall-AzureRM
Set-ExecutionPolicy -Scope CurrentUser Unrestricted -Force
Set-ExecutionPolicy -Scope LocalMachine Unrestricted -Force

Install-Module -Name Az -AllowClobber
Install-Module -Name Az -AllowClobber -Scope CurrentUser
Update-Module -Name Az
Get-Module -Name *Az.* -ListAvailable
Enable-AzureRmAlias -Scope CurrentUser

 

001 (Script1 ICT Pre Run Azure Az Get Rid of AzureRM

 

## SCRIPT Securing your Powershell

 

# TLS Safety - Upgrade to TLSv1.2
$TLS = [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
if (($TLS -eq "Tls") -OR ($TLS -eq "Tls11")) {
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
}
$TLSCHECK = [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
if ($TLSCHECK -eq "Tls12") { Write-Host "TLS Settings have been upgraded, you can proceed Securely" -Foregroundcolor green } else {
write-host "Something went wrong, please close Powershell and Run Again" -Foregroundcolor red
}

#RESTORE Command - just in case 

[Net.ServicePointManager]::SecurityProtocol = `
    [Net.SecurityProtocolType]::Tls12,
    [Net.SecurityProtocolType]::Tls11,
	[Net.SecurityProtocolType]::Tls ;

 

001 (Script2 General TLS Security)

 

## SCRIPT - Create Azure Vault and Secret Key

 

$passwd = ConvertTo-SecureString "MyAzureAdminPassword" -AsPlainText -Force
$pscredential = New-Object System.Management.Automation.PSCredential(Dit e-mailadres wordt beveiligd tegen spambots. JavaScript dient ingeschakeld te zijn om het te bekijken.', $passwd)
Set-ExecutionPolicy Unrestricted -Force
Login-AzAccount -Credential $pscredential

Set-AzureRmContext -SubscriptionId "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
(Get-AzKeyVaultSecret -vaultName "AdminKeyVaultStore" -name "AdminPwd").SecretValueText


New-AzResourceGroup -Name AdminKeyVault -Location WestEurope
New-AzKeyVault -Name 'AdminKeyVaultStore' -ResourceGroupName 'AdminPwd' -Location 'West Europe'

$secretvalue = ConvertTo-SecureString 'LocalAdminPassword' -AsPlainText -Force
$secret = Set-AzKeyVaultSecret -VaultName 'AdminKeyVaultStore' -Name 'AdminPwd' -SecretValue $secretvalue

#Show the correct password
(Get-AzKeyVaultSecret -vaultName "AdminKeyVaultStore" -name "AdminPwd").SecretValueText

Set-ExecutionPolicy Restricted -Force

 

001 (Script3 ICT Azure Create Vault Secret)

 

For convenience sake: were staying in our On-Premise Configuration. We'll talk later on Azure - Assinging Users to the KeyVault and Setting the appropriate permissions.

 

Next were going to create a System Running Scheduled Task to Install with High Privileges > Azure Az Powershel Modules

 

For This you need to put the File Powershell.Prequisities.ps1 to for example your NETLOGON Folder.

 

## SCRIPT - Powershell.Prequisities.ps1

 

# RunAs Administrator

$PSGalleryCheck = Get-PSRepository
if ($PSGalleryCheck.Name -ne "PSGallery") {
write-host "Failure"
} else {
write-host "OK"
Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
}
Uninstall-AzureRM
Set-ExecutionPolicy -Scope CurrentUser Unrestricted -Force
Set-ExecutionPolicy -Scope LocalMachine Unrestricted -Force

Install-Module -Name Az -AllowClobber
Install-Module -Name Az -AllowClobber -Scope CurrentUser
Update-Module -Name Az
Get-Module -Name *Az.* -ListAvailable
Enable-AzureRmAlias -Scope CurrentUser

 

Create a New GPO > PowerShell Prequisities

 

002 (1 Script4 Powershell Prequisities)

 

Computer Configuration > Preferences > Windows Settings > Files > Right Click > New File

Select your file

and put it to C:\Windows\PowerShell.Prequisities.ps1

 

002 (2A)

 

Computer Configuration > Preferences > Control Panel Settings > Scheduled Task > Right Click > Scheduled Task (At Least Windows 7).

 

002 (3)

 

Select Create, Run with Highest Privileges and Windows 7 Support.

 

002 (4)

 

Click > Change Users or Group > Select the Domain > Builtin > click ok and type SYSTEM.

 

002 (4a)

 

002 (4b)

 

Go to the action Tab and enter the following settings:

 

# SCRIPT - Code for Scheduled Task Execution

 

c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe
-ExecutionPolicy bypass .\PowerShell.Prequisities.ps1
C:\Windows

 

002 (6 Text Powershell Scheduled Task)

 

 

Select only start when ANY connection is available.

 

002 (10)

 

Select - Allow Task to be Run on Demand

 

002 (11)

 

 

Azure Portal Config

 

Go to the Resources - Select AdminKeyVault > And here we Select Access Control / Management

 

 

003 (Azure Config (1)

 

 

We're going to click > Toevoegen (Add Role) > Select Lezer (Reader) and select the account which we've created, who'm has no Domain Access but is in the ACCESS DENIED Group.

 

003 (Azure Config (2)

 

 

Click on 'Geheimen' / Secrets > Select the AdminPwd 

 

003 (Azure Config (3)

 

You can see the password here.

 

003 (Azure Config (5)

 

 

Click on 'Toegangsbeleid' / Access Control > And Click Add New

 

003 (Azure Config (6)

 

Select Policy > Secrets from Template > Add Retrieve, Display, and De-Cipher.

 

003 (Azure Config (7)

 

Select everything in Secret Permissions, except Clear

 

003 (Azure Config (8)

 

Do Not Forget to Add the Principal user > The ACCESS DENIED Member

 

003 (Azure Config (9)

 

Pay Attention here: because you're going to be frustrated when it does'nt work as it's the end of configuring in the Azure Portal!

 

Click on 'Opslaan'  / SAVE

 

If you don't you'll pull your hair out why it doesn't do the job.

 

003 (Azure Config (9b)

 

## SCRIPT - Powershell.Automation.ps1

 

# Keep line 3 empty, or the Set-PSRepository will not mark it as trusted.
Set-PSRepository -Name 'PSGallery' -SourceLocation 'https://www.powershellgallery.com/api/v2' -InstallationPolicy Trusted

Get-PSRepository
$passwd = ConvertTo-SecureString "mypassword" -AsPlainText -Force
$pscredential = New-Object System.Management.Automation.PSCredential(Dit e-mailadres wordt beveiligd tegen spambots. JavaScript dient ingeschakeld te zijn om het te bekijken.', $passwd)
Connect-AzAccount -Credential $pscredential
$securePass = (Get-AzKeyVaultSecret -vaultName "AdminKeyVaultStore" -name "AdminPwd").SecretValueText
$userUPN = "CONTOSO\localadmin"
#write-host "$userUPN" -ForegroundColor Green
#write-host "$securePass" -ForegroundColor Green
$userPassword = ConvertTo-SecureString -String "$securePass" -AsPlainText -Force 
$userCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "$userUPN", $userPassword

# Connection OK - Execute Script
Start-Process powershell.exe -Credential $userCredential compmgmt.msc
#Start-Process powershell.exe -Credential $userCredential -ArgumentList "-ExecutionPolicy bypass -Command `"&{Start-Process -FilePath `"\\SERVER\SHARE$\Install.Windows.10.exe`" -Verb runAs}`""

 

004 (1 run automation)

 

 

## SCRIPT - Raw Output

 

Powershell -ExecutionPolicy bypass -File "C:\Users\$env:userprofile\Desktop\Notes\automation.ps1"

 

This is an example output where you can see it has worked for me.

 

004 (Pre Result)

 

And here I've removed the command for the Start-Process of the compmgmt.msc command and with a standard user - I can perform Admin Tasks.

 

005 (Post Result)

Subcategorieën