Using least privilege access for a playbook to make specific changes on Windows hosts

Solution Verified - Updated -

Issue

  • How should Ansible be configured to interact with Windows servers?

  • Does Red Hat have any recommendations on the ability to provide least privilege access to Windows machines rather than full admin access?

  • Is it secure to have an account with lower than admin privileges to access Windows systems via WINRM?

Resolution

  • In case you wish to setup the winrm connection with a non-administrator-account, you may setup your windows system as described on the following documentation.

    Ansible for Non-Administrator accounts using Win-RM

  • With that said, this is a limited setup which will not allow the execution of many tasks as described on the documentation. This means that this step alone will reduce the effective of using automation. To get around this you may want to create service account on the domain controllers to give additional permissions.

    1) A service account to carry out the process, this needs to be present on all the domain controllers
    2) This account needs read permissions to WINRM
    3) As example, follow this procedure to allow the powershell within the module "win_dns_ record" to run:

    You would then be able to add permissions.

  • For further support on windows permission levels beyond what is described in our documentation, you must contact Microsoft support for guidance. This below could be a starting point for Microsoft:

    Microsoft Support for Ansible

  • Giving Ansible access to a system with a lower than admin privileges would not offer further risks to an environment. It is important to know that Ansible Automation Platform has been designed with the use case of sharing credentials and access in a secure manner. So removing this highly desirable feature of allowing a non-admin access to run a job that requires admin access in a secure and safe manner and yet putting in stricter controls make the usage of Ansible with non-administrative-accounts extremely limiting in what it can do.

Root Cause

  • Ansible works based on the execution of tasks on the systems based on power shell scripts and most of the modules will require Administrative levels of permissions.

  • Ansible Support does not recommend the setup of a limited privilege user due to the complexity of mapping the specific permissions for different modules ( not only Red Hat Certified content as well as community) and this support channel does not support the mapping of restricted rule sets for any platform running Ansible.

  • Fundamentally, Ansible Controller should be the central point of change to be driven from. Permissions, root access or not, should be provided to jobs , not users, to achieve a change. A user's access is controlled via the inbuilt RBAC for AAP.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments