JEA: RestrictedRemoteServer and Select-Object - Unusable

Tagged: 

This topic contains 2 replies, has 2 voices, and was last updated by Profile photo of Alex Aymonier Alex Aymonier 6 days, 21 hours ago.

  • Author
    Posts
  • #58885
    Profile photo of Ori Besser
    Ori Besser
    Participant

    I created an endpoint that is restricted to one advanced funtion. This is my config:

    ModulesToImport = 'myModule','SmbShare'
    VisibleCmdlets =  'Get-SmbOpenFile', 'Get-SmbShare', 'Close-SmbOpenFile'
    VisibleFunctions = 'myFunction'
    ExecutionPolicy = 'RemoteSigned'
    SessionType = 'RestrictedRemoteServer'
    LanguageMode = 'NoLanguage'
    RunAsVirtualAccount = $true

    The problem is that choosing RestrictedRemoteServer session type makes my function unusable because it exposes a custom Select-Object (a proxy funtion).
    Whenever my function is using Select-Object I get the following error:

    Cannot validate argument on parameter 'Property'. The argument "myArguments" does not belong to the set
    "ModuleName,Namespace,OutputType,Count,HelpUri,Name,CommandType,ResolvedCommandName,DefaultParameterSet,CmdletBinding,Parameters" specified by the
    ValidateSet attribute.

    Is there any way to override this proxy function usage? because, TMHO, eliminating Select-Object will make a lot of use-cases unusable.

    Here is what I've tried so far:
    – an 'Empty' SessionType – it causes the import of SmbFile module to fail, it errors on loading some kind of format file.

    – a 'Default' SessionType with this configuration:

    ModulesToImport = 'myModule','SmbShare'
    VisibleCmdlets = 'Exit-PSSession', 'Get-Command', 'Get-FormatData', 'Get-Help', 'Measure-Object', 'Out-Default', 'Select-Object', 'Where-Object', 'Get-SmbOpenFile', 'Get-SmbShare', 'Close-SmbOpenFile'
    VisibleFunctions = 'myFunction'

    that one works but I think it has a bug – alongside my Visible commands , it exposes a long list of cmdlets from 'Microsoft.PowerShell.Core' which I didn't ask for, it even exposes 'Add-PSSnapin' and 'Disable-PSRemoting'.

    Thanks, I'll appreciate any advice..

  • #58896
    Profile photo of Ori Besser
    Ori Besser
    Participant

    OK..
    I have worked around it by adding this to my endpoint configuration:

    AliasDefinitions = @{
        Name='Select-MyObject'
        Value='Microsoft.PowerShell.Utility\Select-Object'
    }

    and using 'Select-MyObject' instead of 'Select-Object' in my function.
    Now it works with the RestrictedRemoteServer SessionType.

    Am I over-complicating stuff? I'd be glad to here any input..

    My final configuration:

    AliasDefinitions = @{
        Name='Select-MyObject'
        Value='Microsoft.PowerShell.Utility\Select-Object'
    }
    ModulesToImport = 'myModule','SmbShare'
    VisibleFunctions = 'myFunction'
    ExecutionPolicy = 'RemoteSigned'
    SessionType = 'RestrictedRemoteServer'
    LanguageMode = 'NoLanguage'
    RunAsVirtualAccount = $true
    
  • #58920
    Profile photo of Alex Aymonier
    Alex Aymonier
    Participant

    About to start playing with JEA so thanks for the heads up

You must be logged in to reply to this topic.