普通 Powershell 提示符中的工作命令在 PSSession 中拒绝访问
Working command in a plain Powershell prompt gives Access denied in a PSSession
这不是关于无法启动 PSSession 的问题,而是关于在 PSSession 中明显不同的访问权限的问题。
以下一组命令有效
- 启动 Powershell 提示符
- 运行
cmd /c sc queryex WerSvc
以下一组命令不起作用
- 启动 Powershell 提示符
- 运行
Enter-PSSession localhost
- 运行
cmd /c sc queryex WerSvc
我的用户有权执行 sc queryex 但显然不是在 PSSession 中。有谁知道我应该从哪里开始检查访问权限?
编辑 cudo 到 PetSerAl
低于标准 powershell 提示符和 PSSession 中 whoami /all 的输出。
PS C:\Users\xxxxxxxx> whoami /all
USER INFORMATION
----------------
User Name SID
================== ===============================================
corporate\xxxxxxxx S-1-5-21-3650376746-1030869643-1781887868-23610
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ =============================================== ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users Alias S-1-5-32-555 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\REMOTE INTERACTIVE LOGON Well-known group S-1-5-14 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
CORPORATE\xxxxxxxx User S-1-5-21-348289982-344025507-1237804090-35554 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
CORPORATE\xxxxxxxxxxxxxxxxxxxxxx_RDP Alias S-1-5-21-3650376746-1030869643-1781887868-21634 Mandatory group, Enabled by default, Enabled group, Local Group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
PS C:\Users\xxxxxxxx> enter-pssession localhost
[localhost]: PS C:\Users\xxxxxxxx\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
================== ===============================================
corporate\xxxxxxxx S-1-5-21-3650376746-1030869643-1781887868-23610
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ =============================================== ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users Alias S-1-5-32-555 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
CORPORATE\xxxxxxxx User S-1-5-21-348289982-344025507-1237804090-35554 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
CORPORATE\xxxxxxxxxxxxxxxxxxxxxx_RDP Alias S-1-5-21-3650376746-1030869643-1781887868-21634 Mandatory group, Enabled by default, Enabled group, Local Group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
有没有可能,你启动了一个提升的 Powershell 并且在 Enter-PSSession 之后你最终进入了一个权限较低的 shell?
尝试检查这一行:
[bool]$isElavated = (New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
whoami /all 输出显示您使用交互式登录到 运行 PowerShell,而 PowerShell 远程处理在创建会话时默认使用网络登录。您可以使用 -EnableNetworkAccess 参数来使用现有的交互式会话,而不是创建新的网络登录。
如果您查看 WerSvc 服务安全描述符(您可以使用 sc.exe sdshow WerSvc 命令),您会看到它授予访问服务以访问交互式登录的权限,而不授予此类权限用于网络登录。因此,您会看到行为上的差异。
这不是关于无法启动 PSSession 的问题,而是关于在 PSSession 中明显不同的访问权限的问题。
以下一组命令有效
- 启动 Powershell 提示符
- 运行
cmd /c sc queryex WerSvc
以下一组命令不起作用
- 启动 Powershell 提示符
- 运行
Enter-PSSession localhost - 运行
cmd /c sc queryex WerSvc
我的用户有权执行 sc queryex 但显然不是在 PSSession 中。有谁知道我应该从哪里开始检查访问权限?
编辑 cudo 到 PetSerAl
低于标准 powershell 提示符和 PSSession 中 whoami /all 的输出。
PS C:\Users\xxxxxxxx> whoami /all
USER INFORMATION
----------------
User Name SID
================== ===============================================
corporate\xxxxxxxx S-1-5-21-3650376746-1030869643-1781887868-23610
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ =============================================== ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users Alias S-1-5-32-555 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\REMOTE INTERACTIVE LOGON Well-known group S-1-5-14 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
CORPORATE\xxxxxxxx User S-1-5-21-348289982-344025507-1237804090-35554 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
CORPORATE\xxxxxxxxxxxxxxxxxxxxxx_RDP Alias S-1-5-21-3650376746-1030869643-1781887868-21634 Mandatory group, Enabled by default, Enabled group, Local Group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
PS C:\Users\xxxxxxxx> enter-pssession localhost
[localhost]: PS C:\Users\xxxxxxxx\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
================== ===============================================
corporate\xxxxxxxx S-1-5-21-3650376746-1030869643-1781887868-23610
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ =============================================== ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users Alias S-1-5-32-555 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
CORPORATE\xxxxxxxx User S-1-5-21-348289982-344025507-1237804090-35554 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
CORPORATE\xxxxxxxxxxxxxxxxxxxxxx_RDP Alias S-1-5-21-3650376746-1030869643-1781887868-21634 Mandatory group, Enabled by default, Enabled group, Local Group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
有没有可能,你启动了一个提升的 Powershell 并且在 Enter-PSSession 之后你最终进入了一个权限较低的 shell?
尝试检查这一行:
[bool]$isElavated = (New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
whoami /all 输出显示您使用交互式登录到 运行 PowerShell,而 PowerShell 远程处理在创建会话时默认使用网络登录。您可以使用 -EnableNetworkAccess 参数来使用现有的交互式会话,而不是创建新的网络登录。
如果您查看 WerSvc 服务安全描述符(您可以使用 sc.exe sdshow WerSvc 命令),您会看到它授予访问服务以访问交互式登录的权限,而不授予此类权限用于网络登录。因此,您会看到行为上的差异。