How to allow applications in a PowerShell 3.0 New-PSSessionConfigurationFile?

This topic contains 3 replies, has 2 voices, and was last updated by Profile photo of Dave Wyatt Dave Wyatt 2 years, 7 months ago.

  • Author
    Posts
  • #14879
    Profile photo of Peter Kriegel
    Peter Kriegel
    Participant

    Hi!

    I like to allow DOS commands (applications) like Ping.exe or WhoamI.exe inside a Constrained Session.
    Does anybody know how to archive that with PowerShell 3.0 and an .pssc session configuration file created with the cmdlet New-PSSessionConfigurationFile?
    I did not found any documentation on that!

    Thank you for your time and answers!
    Peter

  • #14938
    Profile photo of Dave Wyatt
    Dave Wyatt
    Moderator

    I don't think that's possible in a Session Configuration file (which you might want to report on the Connect site as a bug, if it hasn't been done already), but Boe Prox recently posted an article that showed how to do it with a startup script instead:

    http://blogs.technet.com/b/heyscriptingguy/archive/2014/04/01/build-constrained-powershell-endpoint-using-startup-script.aspx

    Look for the bits that use the $PublicApps variable in his code.

  • #15022
    Profile photo of Dave Wyatt
    Dave Wyatt
    Moderator

    I'll play around with this if I have some spare time soon, and see if I can come up with any other options. I see -RunAsCredential parameters in all three of Register-PSSessionConfiguration's parameter sets, though; are you saying that it won't allow you to use RunAsCredential and StartupScript together?

  • #15011
    Profile photo of Peter Kriegel
    Peter Kriegel
    Participant

    Hi Dave!

    Thank you for your Reply!
    I know the very good Post from Boe.

    I need the RunAs ability of the 3.0 Endpoints so I have to use the .pssc Config. File.

    Next 3 Days I am a Speaker at the German PowerShell Conference so I will be back in 4 Days.
    There I am presenting this Topic.

    I have tackled this with an very, very ugly workaround.
    I have wrapped WhoamI.exe inside a PowerShell Function.
    Plus, you have to allow the FileSystem Provider because the Applications lie on the Disk 🙁
    I think to allow the FileSystem Provider can open up security wholes?

    New-PSSessionConfigurationFile -Path "$PSHome\SessionConfig\MyEndpointPS3.pssc" `
    -SessionType RestrictedRemoteServer `
    -LanguageMode NoLanguage `
    -ModulesToImport Microsoft.PowerShell.Management `
    -VisibleCmdlets Get-Service,Start-Service,Stop-Service  `
    -VisibleProviders "FileSystem" `
    -FunctionDefinitions @{Name="WhoAmI";ScriptBlock={Invoke-Expression "whoami.exe /user"};Options="AllScope"} `
    -VisibleFunctions 'WhoamI'

    Stay tuned 😉

You must be logged in to reply to this topic.