JEA: RestrictedRemoteServer and Select-Object - Unusable

This topic contains 2 replies, has 2 voices, and was last updated by  Alex Aymonier 11 months, 3 weeks ago.

  • Author
    Posts
  • #58885

    Ori Besser
    Participant

    I created an endpoint that is restricted to one advanced funtion. This is my config:

    ModulesToImport = 'myModule','SmbShare'
    VisibleCmdlets =  'Get-SmbOpenFile', 'Get-SmbShare', 'Close-SmbOpenFile'
    VisibleFunctions = 'myFunction'
    ExecutionPolicy = 'RemoteSigned'
    SessionType = 'RestrictedRemoteServer'
    LanguageMode = 'NoLanguage'
    RunAsVirtualAccount = $true

    The problem is that choosing RestrictedRemoteServer session type makes my function unusable because it exposes a custom Select-Object (a proxy funtion).
    Whenever my function is using Select-Object I get the following error:

    Cannot validate argument on parameter 'Property'. The argument "myArguments" does not belong to the set
    "ModuleName,Namespace,OutputType,Count,HelpUri,Name,CommandType,ResolvedCommandName,DefaultParameterSet,CmdletBinding,Parameters" specified by the
    ValidateSet attribute.

    Is there any way to override this proxy function usage? because, TMHO, eliminating Select-Object will make a lot of use-cases unusable.

    Here is what I've tried so far:
    – an 'Empty' SessionType – it causes the import of SmbFile module to fail, it errors on loading some kind of format file.

    – a 'Default' SessionType with this configuration:

    ModulesToImport = 'myModule','SmbShare'
    VisibleCmdlets = 'Exit-PSSession', 'Get-Command', 'Get-FormatData', 'Get-Help', 'Measure-Object', 'Out-Default', 'Select-Object', 'Where-Object', 'Get-SmbOpenFile', 'Get-SmbShare', 'Close-SmbOpenFile'
    VisibleFunctions = 'myFunction'

    that one works but I think it has a bug – alongside my Visible commands , it exposes a long list of cmdlets from 'Microsoft.PowerShell.Core' which I didn't ask for, it even exposes 'Add-PSSnapin' and 'Disable-PSRemoting'.

    Thanks, I'll appreciate any advice..

  • #58896

    Ori Besser
    Participant

    OK..
    I have worked around it by adding this to my endpoint configuration:

    AliasDefinitions = @{
        Name='Select-MyObject'
        Value='Microsoft.PowerShell.Utility\Select-Object'
    }

    and using 'Select-MyObject' instead of 'Select-Object' in my function.
    Now it works with the RestrictedRemoteServer SessionType.

    Am I over-complicating stuff? I'd be glad to here any input..

    My final configuration:

    AliasDefinitions = @{
        Name='Select-MyObject'
        Value='Microsoft.PowerShell.Utility\Select-Object'
    }
    ModulesToImport = 'myModule','SmbShare'
    VisibleFunctions = 'myFunction'
    ExecutionPolicy = 'RemoteSigned'
    SessionType = 'RestrictedRemoteServer'
    LanguageMode = 'NoLanguage'
    RunAsVirtualAccount = $true
    
  • #58920

    Alex Aymonier
    Participant

    About to start playing with JEA so thanks for the heads up

You must be logged in to reply to this topic.