Powershell SDDL modification

2019-05-22 12:27发布

问题:

I am trying to allow remote access to server throught winrs. Somewhere on the internets, I find out that this will need modification of RootSDDL for winrm service, and the value of it could be fetched like this:

(Get-Item WSMAN:\localhost\Service\RootSDDL).Value
O:NSG:BAD:P(A;;GA;;;BA)(A;;GA;;;S-1-5-21-3231263931-1371906242-1889625497-1141)S:P(AU;FA;GA;;;WD)(AU;SA;GWGX;;;WD)

Now, the question is the following: When I know SID of the user I want to allow remote access, how do I add to this SDDL ACE like (A;;GA;;;S-1-5-21-The-rest-of-my-user-SID) ?

Is there any code snippets to parse SDDL into array of ACEs, modify it and parse back?

回答1:

This code isn't completely working, but if you fix the constructor parameters (in the $ArgumentList variable) for the ObjectAce object, you should be able to get it working. I'll try to come back to this a bit later and finish it off.

This example does show how to use the RawSecurityDescriptor class to "import" SDDL, and then call the GetSDDLForm() method to "export" it back to SDDL. All we need to figure out is how to properly construct the ObjectAce object, and call InsertAce() to add it to the RawSecurityDescriptor object, before we export it to SDDL.

# Create a Security Descriptor from SDDL
$SD = New-Object -TypeName System.Security.AccessControl.RawSecurityDescriptor -ArgumentList 'O:NSG:BAD:P(A;;GA;;;BA)(A;;GA;;;S-1-5-21-3231263931-1371906242-1889625497-1141)S:P(AU;FA;GA;;;WD)(AU;SA;GWGX;;;WD)';

# Add a new Access Control Entry
# ObjectACE constructor docs: http://msdn.microsoft.com/en-us/library/system.security.accesscontrol.objectace.objectace(v=vs.110).aspx
$ArgumentList = @(
    [System.Security.AccessControl.AceFlags]::None,
    [System.Security.AccessControl.AceQualifier]::AccessAllowed,
    1,
    [System.Security.AccessControl.ObjectAceFlags]::None,
    )
$ObjectACE = New-Object -TypeName System.Security.AccessControl.ObjectAce -ArgumentList $ArgumentList;
$SD.DiscretionaryAcl.InsertAce($ObjectACE);

# Convert the Security Descriptor back into SDDL
$SD.GetSddlForm([System.Security.AccessControl.AccessControlSections]::All);


回答2:

Using information from the Trewor Sullivan's answer I managed to add this with following code:

function add_sid_with_A_GA($sddl, $sid) {
    $security_descriptor = New-Object -TypeName System.Security.AccessControl.CommonSecurityDescriptor -ArgumentList @($false, $false, $sddl);

    $security_descriptor.DiscretionaryAcl.AddAccess("Allow", $sid, 268435456,"None","None")

    # Convert the Security Descriptor back into SDDL
    $security_descriptor.GetSddlForm([System.Security.AccessControl.AccessControlSections]::All);
}

268435456 is the AccessMask for GA rights.