Import-CliXML fails when called within a constrained session

1
votes

My scenario:

  1. I have a function that performs a privileged operation
  2. This function requires access to a secret key
  3. I need to run this function in a constraint PowerShell session (i.e. the function must run in a security context different from the user that invokes it)

Here is how I attempted to implement a solution:

  1. I created a dedicated account that will provide RunAs credentials for a constrained PSSession.

  2. I logged-in interactively as the service account and ran this command:

    ConvertTo-SecureString "MySecretKey....." -AsPlainText -Force | Export-Clixml C:\PSScripts\panosAccessToken

This created a token encrypted for my service account. 3. Inside the script that I am delegating, which will run in the context of the service account, I decrypt the key like so:

$accessToken = Import-Clixml C:\PSScripts\token
  1. Next I register a PSSession, see details below.

The Issue: When users connect to the session and attempt to run the function, the get the following error message:

[localhost]: PS> Get-PANOSBlockedTraffic
Import-Clixml : Cannot find drive. A drive with the name 'C' does not exist.
At line:4 char:20
+     $accessToken = Import-Clixml C:\PSScripts\token
+                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (C:String) [Import-Clixml], DriveNotFoundException
    + FullyQualifiedErrorId : DriveNotFound,Microsoft.PowerShell.Commands.ImportClixmlCommand

It appears that my function is not allowed to access the file system, despite the fact that the service account has the appropriate rights. What am I missing?

 $getBlockedTraffic = {   
        $accessToken = Import-Clixml C:\PSScripts\token
        # The rest of the logic is removed to save space

    }

New-PSSessionConfigurationFile -Path c:\PSScripts\panos.pssc `
                               -Description 'PANOS Delegation EndPoint' `
                               -ExecutionPolicy Restricted `
                               -SessionType RestrictedRemoteServer `
                               -LanguageMode FullLanguage `
                               -FunctionDefinitions @{Name="Get-PANOSBlockedTraffic";ScriptBlock=$getBlockedTraffic; Options="AllScope"}

Unregister-pssessionconfiguration -name FirewallManagement -force
Test-PSSessionConfigurationFile -Path c:\PSScripts\panos.pssc

$secpasswd = ConvertTo-SecureString "pwdHere" -AsPlainText -Force
$sessionCreds = New-Object System.Management.Automation.PSCredential ("domain\user", $secpasswd)

Register-PSSessionConfiguration -Path 'c:\PSScripts\panos.pssc' `
                                -Name FirewallManagement `
                                -ShowSecurityDescriptorUI `
                                -RunAsCredential $sessionCreds `
                                -AccessMode Remote `
                                -Force
1
powershell

1 Answers

0
votes

Your constrained endpoint is using RestrictedRemoteServer which only allows access to a few selected cmdlets, and almost nothing else.

The FileSystem provider is not among the things allowed, so you aren't able to read from the filesystem.

You can allow just that provider:

New-PSSessionConfigurationFile -Path c:\PSScripts\panos.pssc `
                               -Description 'PANOS Delegation EndPoint' `
                               -ExecutionPolicy Restricted `
                               -SessionType RestrictedRemoteServer `
                               -LanguageMode FullLanguage `
                               -VisibleProviders FileSystem `
                               -FunctionDefinitions @{Name="Get-PANOSBlockedTraffic";ScriptBlock=$getBlockedTraffic; Options="AllScope"}

By adding -VisibleProviders you can specify which providers are available to the session. Of course this allows all filesystem access now.