예제 #1
0
        public CommonSecurityDescriptor GenerateSecurityDescriptor(SecurityIdentifier sid, PowerShellAuthorizationResponse result)
        {
            AccessMask allowedAccess = 0;
            AccessMask deniedAccess  = 0;

            if (result.IsLocalAdminPasswordAllowed)
            {
                allowedAccess |= AccessMask.LocalAdminPassword;
            }

            if (result.IsLocalAdminPasswordHistoryAllowed)
            {
                allowedAccess |= AccessMask.LocalAdminPasswordHistory;
            }

            if (result.IsJitAllowed)
            {
                allowedAccess |= AccessMask.Jit;
            }

            if (result.IsLocalAdminPasswordDenied)
            {
                deniedAccess |= AccessMask.LocalAdminPassword;
            }

            if (result.IsLocalAdminPasswordHistoryDenied)
            {
                deniedAccess |= AccessMask.LocalAdminPasswordHistory;
            }

            if (result.IsJitDenied)
            {
                deniedAccess |= AccessMask.Jit;
            }

            DiscretionaryAcl dacl;

            if (allowedAccess > 0 && deniedAccess > 0)
            {
                dacl = new DiscretionaryAcl(false, false, 2);
            }
            else if (allowedAccess > 0 || deniedAccess > 0)
            {
                dacl = new DiscretionaryAcl(false, false, 1);
            }
            else
            {
                dacl = new DiscretionaryAcl(false, false, 0);
            }

            if (allowedAccess > 0)
            {
                dacl.AddAccess(AccessControlType.Allow, sid, (int)allowedAccess, InheritanceFlags.None, PropagationFlags.None);
            }

            if (deniedAccess > 0)
            {
                dacl.AddAccess(AccessControlType.Deny, sid, (int)deniedAccess, InheritanceFlags.None, PropagationFlags.None);
            }

            return(new CommonSecurityDescriptor(false, false, ControlFlags.DiscretionaryAclPresent, new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null), null, null, dacl));
        }
예제 #2
0
        private PowerShellAuthorizationResponse GetAuthorizationResponse(string script, IUser user, IComputer computer, int timeout)
        {
            PowerShell powershell = this.sessionProvider.GetSession(script, "Get-AuthorizationResponse");

            powershell.AddCommand("Get-AuthorizationResponse")
            .AddParameter("user", this.ToPSObject(user))
            .AddParameter("computer", this.ToPSObject(computer));

            Task <PowerShellAuthorizationResponse> task = new Task <PowerShellAuthorizationResponse>(() =>
            {
                var results = powershell.Invoke();
                powershell.ThrowOnPipelineError();

                foreach (PSObject result in results)
                {
                    if (result.BaseObject is PowerShellAuthorizationResponse res)
                    {
                        return(res);
                    }

                    if (result.Properties[nameof(res.IsLocalAdminPasswordAllowed)] == null &&
                        result.Properties[nameof(res.IsLocalAdminPasswordDenied)] == null &&
                        result.Properties[nameof(res.IsLocalAdminPasswordHistoryAllowed)] == null &&
                        result.Properties[nameof(res.IsLocalAdminPasswordHistoryDenied)] == null &&
                        result.Properties[nameof(res.IsJitAllowed)] == null &&
                        result.Properties[nameof(res.IsJitDenied)] == null)
                    {
                        continue;
                    }

                    res = new PowerShellAuthorizationResponse();
                    res.IsLocalAdminPasswordAllowed        = Convert.ToBoolean(result.Properties[nameof(res.IsLocalAdminPasswordAllowed)]?.Value ?? false);
                    res.IsLocalAdminPasswordDenied         = Convert.ToBoolean(result.Properties[nameof(res.IsLocalAdminPasswordDenied)]?.Value ?? false);
                    res.IsLocalAdminPasswordHistoryAllowed = Convert.ToBoolean(result.Properties[nameof(res.IsLocalAdminPasswordHistoryAllowed)]?.Value ?? false);
                    res.IsLocalAdminPasswordHistoryDenied  = Convert.ToBoolean(result.Properties[nameof(res.IsLocalAdminPasswordHistoryDenied)]?.Value ?? false);
                    res.IsJitAllowed = Convert.ToBoolean(result.Properties[nameof(res.IsJitAllowed)]?.Value ?? false);
                    res.IsJitDenied  = Convert.ToBoolean(result.Properties[nameof(res.IsJitDenied)]?.Value ?? false);
                    return(res);
                }

                return(null);
            });

            task.Start();
            if (!task.Wait(TimeSpan.FromSeconds(timeout)))
            {
                throw new TimeoutException("The PowerShell script did not complete within the configured time");
            }

            if (task.IsFaulted)
            {
                if (task.Exception != null)
                {
                    throw task.Exception;
                }
                throw new AccessManagerException("The task failed");
            }

            if (task.Result != null)
            {
                this.logger.LogTrace($"PowerShell script returned the following AuthorizationResponse: {JsonConvert.SerializeObject(task.Result)}");
                return(task.Result);
            }

            this.logger.LogWarning(EventIDs.PowerShellSDGeneratorInvalidResponse, $"The PowerShell script did not return an AuthorizationResponse");

            return(new PowerShellAuthorizationResponse());
        }
예제 #3
0
        public CommonSecurityDescriptor GenerateSecurityDescriptor(IUser user, IComputer computer, string script, int timeout)
        {
            PowerShellAuthorizationResponse result = this.GetAuthorizationResponse(script, user, computer, timeout);

            return(GenerateSecurityDescriptor(user.Sid, result));
        }