Author Posts

April 29, 2014 at 4:55 am

Hi!

I like to allow DOS commands (applications) like Ping.exe or WhoamI.exe inside a Constrained Session.
Does anybody know how to archive that with PowerShell 3.0 and an .pssc session configuration file created with the cmdlet New-PSSessionConfigurationFile?
I did not found any documentation on that!

Thank you for your time and answers!
Peter

May 1, 2014 at 8:17 pm

I don't think that's possible in a Session Configuration file (which you might want to report on the Connect site as a bug, if it hasn't been done already), but Boe Prox recently posted an article that showed how to do it with a startup script instead:

http://blogs.technet.com/b/heyscriptingguy/archive/2014/04/01/build-constrained-powershell-endpoint-using-startup-script.aspx

Look for the bits that use the $PublicApps variable in his code.

May 4, 2014 at 10:14 pm

Hi Dave!

Thank you for your Reply!
I know the very good Post from Boe.

I need the RunAs ability of the 3.0 Endpoints so I have to use the .pssc Config. File.

Next 3 Days I am a Speaker at the German PowerShell Conference so I will be back in 4 Days.
There I am presenting this Topic.

I have tackled this with an very, very ugly workaround.
I have wrapped WhoamI.exe inside a PowerShell Function.
Plus, you have to allow the FileSystem Provider because the Applications lie on the Disk 🙁
I think to allow the FileSystem Provider can open up security wholes?

New-PSSessionConfigurationFile -Path "$PSHome\SessionConfig\MyEndpointPS3.pssc" `
-SessionType RestrictedRemoteServer `
-LanguageMode NoLanguage `
-ModulesToImport Microsoft.PowerShell.Management `
-VisibleCmdlets Get-Service,Start-Service,Stop-Service  `
-VisibleProviders "FileSystem" `
-FunctionDefinitions @{Name="WhoAmI";ScriptBlock={Invoke-Expression "whoami.exe /user"};Options="AllScope"} `
-VisibleFunctions 'WhoamI'

Stay tuned 😉

May 5, 2014 at 6:40 am

I'll play around with this if I have some spare time soon, and see if I can come up with any other options. I see -RunAsCredential parameters in all three of Register-PSSessionConfiguration's parameter sets, though; are you saying that it won't allow you to use RunAsCredential and StartupScript together?