search

WinRb / winrm-elevated

Runs PowerShell commands as elevated over Windows Remote Management (WinRM) via a scheduled task
Apache License 2.0
27 stars 17 forks source link

Can't execute elevated shell command with same credential as for WinRM transport #23

Open karim-jaouadi opened 6 years ago

karim-jaouadi commented 6 years ago

Hi,

Using chef-provisioning-aws to Bootstrap Windows server via WinRM transport it seems to call an elevated shell_type (https://github.com/chef/chef-provisioning/blob/ff96031e9ee61e6f6757787d612e3fa91b85f1b7/lib/chef/provisioning/transport/winrm.rb#L101)

On the below function, the elevated shell uses the same credentials as for WinRM transport.

class Elevated
      # @param connection_opts [ConnectionOpts] The WinRM connection options
      # @param transport [HttpTransport] The WinRM SOAP transport
      # @param logger [Logger] The logger to log diagnostic messages to
      def initialize(connection_opts, transport, logger)
        @logger = logger
        @username = connection_opts[:user]
        @password = connection_opts[:password]
        @interactive_logon = false
        @shell = Powershell.new(connection_opts, transport, logger)
        @winrm_file_transporter = WinRM::FS::Core::FileTransporter.new(@shell)
      end
end

However, in CIS Windows Image (https://www.cisecurity.org/benchmark/microsoft_windows_server/) with UAC, and strong GPO it is not possible (out of the box) to run any command via the elevated shell unless we use the "Impersonating a service account" (username: 'System', password: nil).

Failing using same WinRM Administrator account

ruby winrm-test.rb 
A specified logon session does not exist. It may already have been terminated. (Exception from HRESULT: 0x80070520)
At line:72 char:1
+ $folder.RegisterTaskDefinition($task_name, $task, 6, $username, $pass ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [], COMException
    + FullyQualifiedErrorId : System.Runtime.InteropServices.COMException
The script exited with exit code -196608

Working with Impersonating

ruby winrm-test.rb 

Name                           Value                                                                                 
PSVersion                      5.1.14393.1944                                  
PSEdition                      Desktop                                         
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}                         
BuildVersion                   10.0.14393.1944                                 
CLRVersion                     4.0.30319.42000                                 
WSManStackVersion              3.0                                             
PSRemotingProtocolVersion      2.3                                             
SerializationVersion           1.1.0.1                                         

The script exited with exit code 0

Would it be possible to make configurable the elevated shell username/password independently from WinRM connection_opts?

Many thanks.

karim-jaouadi commented 6 years ago

any update from anyone ? :)