On the below function, the elevated shell uses the same credentials as for WinRM transport.
class Elevated
# @param connection_opts [ConnectionOpts] The WinRM connection options
# @param transport [HttpTransport] The WinRM SOAP transport
# @param logger [Logger] The logger to log diagnostic messages to
def initialize(connection_opts, transport, logger)
@logger = logger
@username = connection_opts[:user]
@password = connection_opts[:password]
@interactive_logon = false
@shell = Powershell.new(connection_opts, transport, logger)
@winrm_file_transporter = WinRM::FS::Core::FileTransporter.new(@shell)
end
end
However, in CIS Windows Image (https://www.cisecurity.org/benchmark/microsoft_windows_server/) with UAC, and strong GPO it is not possible (out of the box) to run any command via the elevated shell unless we use the "Impersonating a service account" (username: 'System', password: nil).
Failing using same WinRM Administrator account
ruby winrm-test.rb
A specified logon session does not exist. It may already have been terminated. (Exception from HRESULT: 0x80070520)
At line:72 char:1
+ $folder.RegisterTaskDefinition($task_name, $task, 6, $username, $pass ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [], COMException
+ FullyQualifiedErrorId : System.Runtime.InteropServices.COMException
The script exited with exit code -196608
Working with Impersonating
ruby winrm-test.rb
Name Value
PSVersion 5.1.14393.1944
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.14393.1944
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
The script exited with exit code 0
Would it be possible to make configurable the elevated shell username/password independently from WinRM connection_opts?
Hi,
Using chef-provisioning-aws to Bootstrap Windows server via WinRM transport it seems to call an elevated shell_type (https://github.com/chef/chef-provisioning/blob/ff96031e9ee61e6f6757787d612e3fa91b85f1b7/lib/chef/provisioning/transport/winrm.rb#L101)
On the below function, the elevated shell uses the same credentials as for WinRM transport.
However, in CIS Windows Image (https://www.cisecurity.org/benchmark/microsoft_windows_server/) with UAC, and strong GPO it is not possible (out of the box) to run any command via the elevated shell unless we use the "Impersonating a service account" (username: 'System', password: nil).
Failing using same WinRM Administrator account
Working with Impersonating
Would it be possible to make configurable the elevated shell username/password independently from WinRM connection_opts?
Many thanks.