Remoting permissions by script

Permissions may also be changed using a script. The following commands retrieve the current security descriptor:

using namespace System.Security.AccessControl 
 
$sddl = Get-PSSessionConfiguration microsoft.powerShell | 
    Select-Object -ExpandProperty SecurityDescriptorSddl 
$acl = New-Object CommonSecurityDescriptor( 
    $false, 
    $false, 
$sddl 
) 
$acl.DiscretionaryAcl

The object created here does not translate access masks into meaningful names. There are a small number of possible values for the access mask (shown here as 32-bit integers):

  • Full (All operations): 268435456
  • Read (Get, Enumerate, Subscribe): -2147483648
  • Write (Put, Delete, Create): 1073741824
  • Execute (Invoke): 536870912

Permissions may be combined by using the -bor operator. For example, read and write may be defined using:

$readAndWrite = -2147483648 -bor 1073741824

Granting Read, Write, and Execute individually should be equivalent to Full Control. However, the result of binary (or the composite of all values) is -536870912, not the expected value for Full.

Understanding these values allows the current settings to be displayed in more detail than Get-PSSessionConfiguration displays. The function adds two script properties to each of the access control entries in the discretionary ACL. The first translates the SID into an account name; the second translates the access mask into a name (or set of names).

The example uses an enumeration (enum) to describe the possible access rights:

using namespace System.Security.AccessControl; using namespace System.Security.Principal 
       
[Flags()] 
enum SessionAccessRight { 
    All     = -536870912 
    Full    = 268435456 
    Read    = -2147483648 
    Write   = 1073741824 
    Execute = 536870912 
} 
 
function Get-PSSessionAcl { 
    param ( 
        [String[]]$Name 
    ) 
                                        
Get-PSSessionConfiguration -Name $Name | 
        ForEach-Object { 
    New-Object CommonSecurityDescriptor( 
                $false,  
                $false, 
$_.SecurityDescriptorSddl 
) 
        } 
} 
 
function Get-PSSessionAccess { 
    param ( 
        [String[]]$Name 
    ) 
 
    (Get-PSSessionAcl -Name $Name).DiscretionaryAcl | 
        Add-Member Identity -MemberType ScriptProperty -Value { 
$this.SecurityIdentifier.Translate([NTAccount]) 
        } -PassThru | 
        Add-Member AccessRight -MemberType ScriptProperty -Value { 
          [SessionAccessRight]$this.AccessMask 
} -PassThru 
}

Additional access may by granted by using the AddAccess method on the DiscretionaryAcl. Granting access requires the SID of an account. The SID can be retrieved using the same Translate method that was used to get an account name from a SID. For example, the security identifier of the local administrator account may be retrieved:

using namespace System.Security.Principal   
 
([NTAccount]"Administrator").Translate([SecurityIdentifier])

Adding to the discretionary ACL may be achieved as shown in the following snippet. The example makes use of the Get-PSSessionAcl function and SessionAccessRight enumeration created previously to grant access to the current user. The current user is identified using environment variables:

using namespace System.Security.AccessControl
 using namespace System.Security.Principal
 $identity = "$env:USERDOMAIN$env:USERNAME"
 $acl = Get-PSSessionAcl -Name "Microsoft.PowerShell"
 $acl.DiscretionaryAcl.AddAccess(
 'Allow',
   ([NTAccount]$identity).Translate([SecurityIdentifier]),
   [Int][SessionAccessRight]'Full',
   'None', # Inheritance flags
   'None' # Propagation flags
   )

The updated ACL must be converted back to an SDDL string to apply the change:

$sddl = $acl.GetSddlForm('All') 
Set-PSSessionConfiguration microsoft.powershell -SecurityDescriptorSddl $sddl
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.22.216.254