Powershell SDDL 修改 [英] Powershell SDDL modification

问题描述

我正在尝试允许通过 winrs 远程访问服务器.在互联网上的某个地方，我发现这需要修改 Winrm 服务的 RootSDDL，并且可以像这样获取它的值:

I am trying to allow remote access to server throught winrs. Somewhere on the internets, I find out that this will need modification of RootSDDL for winrm service, and the value of it could be fetched like this:

(Get-Item WSMAN:\localhost\Service\RootSDDL).Value
O:NSG:BAD:P(A;;GA;;;BA)(A;;GA;;;S-1-5-21-3231263931-1371906242-1889625497-1141)S:P(AU;FA;GA;;;WD)(AU;SA;GWGX;;;WD)

现在，问题如下:当我知道想要允许远程访问的用户的 SID 时，我该如何添加到这个 SDDL ACE 中，例如 (A;;GA;;;S-1-5-21-The-rest-of-my-user-SID) ?

Now, the question is the following: When I know SID of the user I want to allow remote access, how do I add to this SDDL ACE like (A;;GA;;;S-1-5-21-The-rest-of-my-user-SID) ?

是否有任何代码片段可以将 SDDL 解析为 ACE 数组、修改它并解析回来?

Is there any code snippets to parse SDDL into array of ACEs, modify it and parse back?

推荐答案

这段代码并不完全有效，但是如果你修复了 $ArgumentList 变量中的构造函数参数>ObjectAce 对象，你应该能够让它工作.稍后我会尝试回到这个问题并完成它.

This code isn't completely working, but if you fix the constructor parameters (in the $ArgumentList variable) for the ObjectAce object, you should be able to get it working. I'll try to come back to this a bit later and finish it off.

此示例确实展示了如何使用 RawSecurityDescriptor 类导入"SDDL，然后调用 GetSDDLForm() 方法将其导出"回 SDDL.我们只需要弄清楚如何正确构造ObjectAce 对象，然后调用InsertAce() 将其添加到RawSecurityDescriptor 对象中，然后再调用我们将其导出到 SDDL.

This example does show how to use the RawSecurityDescriptor class to "import" SDDL, and then call the GetSDDLForm() method to "export" it back to SDDL. All we need to figure out is how to properly construct the ObjectAce object, and call InsertAce() to add it to the RawSecurityDescriptor object, before we export it to SDDL.

# Create a Security Descriptor from SDDL
$SD = New-Object -TypeName System.Security.AccessControl.RawSecurityDescriptor -ArgumentList 'O:NSG:BAD:P(A;;GA;;;BA)(A;;GA;;;S-1-5-21-3231263931-1371906242-1889625497-1141)S:P(AU;FA;GA;;;WD)(AU;SA;GWGX;;;WD)';

# Add a new Access Control Entry
# ObjectACE constructor docs: http://msdn.microsoft.com/en-us/library/system.security.accesscontrol.objectace.objectace(v=vs.110).aspx
$ArgumentList = @(
    [System.Security.AccessControl.AceFlags]::None,
    [System.Security.AccessControl.AceQualifier]::AccessAllowed,
    1,
    [System.Security.AccessControl.ObjectAceFlags]::None,
    )
$ObjectACE = New-Object -TypeName System.Security.AccessControl.ObjectAce -ArgumentList $ArgumentList;
$SD.DiscretionaryAcl.InsertAce($ObjectACE);

# Convert the Security Descriptor back into SDDL
$SD.GetSddlForm([System.Security.AccessControl.AccessControlSections]::All);

这篇关于Powershell SDDL 修改的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！