Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't execute elevated shell command with same credential as for WinRM transport #23

Open
karim-jaouadi opened this issue Mar 1, 2018 · 1 comment
Open

Can't execute elevated shell command with same credential as for WinRM transport #23

karim-jaouadi opened this issue Mar 1, 2018 · 1 comment

Comments

@karim-jaouadi
Copy link

karim-jaouadi commented Mar 1, 2018
edited
Loading

Hi,

Using chef-provisioning-aws to Bootstrap Windows server via WinRM transport it seems to call an elevated shell_type (https://github.com/chef/chef-provisioning/blob/ff96031e9ee61e6f6757787d612e3fa91b85f1b7/lib/chef/provisioning/transport/winrm.rb#L101)

On the below function, the elevated shell uses the same credentials as for WinRM transport.

class Elevated
      # @param connection_opts [ConnectionOpts] The WinRM connection options
      # @param transport [HttpTransport] The WinRM SOAP transport
      # @param logger [Logger] The logger to log diagnostic messages to
      def initialize(connection_opts, transport, logger)
        @logger = logger
        @username = connection_opts[:user]
        @password = connection_opts[:password]
        @interactive_logon = false
        @shell = Powershell.new(connection_opts, transport, logger)
        @winrm_file_transporter = WinRM::FS::Core::FileTransporter.new(@shell)
      end
end

However, in CIS Windows Image (https://www.cisecurity.org/benchmark/microsoft_windows_server/) with UAC, and strong GPO it is not possible (out of the box) to run any command via the elevated shell unless we use the "Impersonating a service account" (username: 'System', password: nil).

Failing using same WinRM Administrator account

ruby winrm-test.rb 
A specified logon session does not exist. It may already have been terminated. (Exception from HRESULT: 0x80070520)
At line:72 char:1
+ $folder.RegisterTaskDefinition($task_name, $task, 6, $username, $pass ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [], COMException
    + FullyQualifiedErrorId : System.Runtime.InteropServices.COMException
The script exited with exit code -196608

Working with Impersonating

ruby winrm-test.rb 

Name                           Value                                                                                 
PSVersion                      5.1.14393.1944                                  
PSEdition                      Desktop                                         
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}                         
BuildVersion                   10.0.14393.1944                                 
CLRVersion                     4.0.30319.42000                                 
WSManStackVersion              3.0                                             
PSRemotingProtocolVersion      2.3                                             
SerializationVersion           1.1.0.1                                         

The script exited with exit code 0

Would it be possible to make configurable the elevated shell username/password independently from WinRM connection_opts?

Many thanks.
@karim-jaouadi
Copy link
Author

any update from anyone ? :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@karim-jaouadi