search

dsccommunity / SecurityPolicyDsc

A wrapper around secedit.exe to configure local security policies
MIT License
177 stars 53 forks source link

SecurityOptions - Could not infer CimType from the provided .NET object #126

Closed thijsvanbloemendaal closed 4 years ago

thijsvanbloemendaal commented 5 years ago

Hi,

I'm running into issues with a baseline in windows 2019. I receive the following error on multiple securityOptions:

Could not infer CimType from the provided .NET object.
    + CategoryInfo          : InvalidOperation: (Microsoft.Manag...InstanceCommand:) [], CimException
    + FullyQualifiedErrorId : New-CimInstance,Microsoft.Management.Infrastructure.CimCmdlets.NewCimInstanceCommand
    + PSComputerName        : localhost

The PowerShell DSC resource '[SecurityOption]SecuritySetting(INF): EnableGuestAccount' with SourceInfo ************** threw one or more non-terminating errors while running the Test-TargetResource functionality. These errors ar
e logged to the ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel for more details.
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : NonTerminatingErrorFromProvider
    + PSComputerName        : localhost

Does anyone know how to resolve this?

Regards, Thijs

hariscodes commented 4 years ago

Hey, we actually found a fix for this. We have forked this repository and my colleague will be pushing the fix up.

In short, there's a switch call three functions deep which doesn't cover all possibilities of users in a policy. The Local Security Policy associated with the problematic call is "Network Access: Restrict Clients allowed to make remote calls to SAM". If you look at that policy in secedit, you'll see a weird, seemingly incomprehensible series of parentheticals that look something like this:

(A;;RC;;;SY)(A;;RC;;;DA)

This is an esoteric, legacy language called SDDL, and the parentheticals refer to permission sets for local/domain user groups. At the end of each of these is an identifier that is used to identify the group (because the SID was too verbose for the byte constraints that they were working in when this language was created). This is converted to a SID, which is then converted to a friendly name that is used to construct an object using New-CimInstance. Because the only one noted in the switch statement is "BA" (i.e. Builtin\Administrators), it breaks.

We added support for all missing ones, including SY (NT AUTHORITY\SYSTEM) and DA (DOMAIN\Domain Administrators).

Cheers!