通过 PowerShell 的 DCOM 机器级访问和启动权限

问题描述 投票:0回答:3

是否可以从 PowerShell 设置机器级别的“我的电脑”访问和启动权限?

相当于

DComPerm.exe -ma set name permit level:l,r
DComPerm.exe -ml set name permit level:l,r

我正在寻找使用 PowerShell v 3.0 的解决方案。目标服务器是 Windows Server 2008 R2 和 2012。

我找到了许多有关设置 DCOM 应用程序安全设置的参考资料。但是我不知道如何在机器或顶层设置它。

https://janbk.wordpress.com/2015/03/12/automating-dcom-acl-with-powershell/

在 powershell 中使用 DcomPerm.exe 和 SetAcl.exe 的替代方案

powershell dcom
3个回答
3
投票

我们一直在使用WMI来设置启动权限。 请参阅:https://rkeithhill.wordpress.com/2013/07/25/using-powershell-to-modify-dcom-launch-activation-settings/

Windows 安全补丁推出后,此功能停止工作(补丁号:4012212、4012213 和 4012213)

我们将 WIM powershell 脚本转换为使用 CIM,并负责设置 DCOM 对象的启动权限并与安全补丁一起使用。代码如下供参考:

$ComponentName = "TestComponent" #--- change value as needed
$Username = "Username"           #--- change value as needed
$Domain = "Domain"               #--- change value as needed

# If you already have a CimSession that you used to get the security descriptor, you can leave this line out and use the existing one:
$CimSession = New-CimSession localhost

Grant-DComAccessToUser -ComponentName $ComponentName -Username $Username -Domain $Domain

# Cleanup
$CimSession | Remove-CimSession

function Grant-DComAccessToUser {
    param(
        [Parameter(Mandatory=$true)][string] $ComponentName,
        [Parameter(Mandatory=$true)][string] $Username,
        [string] $Domain
    )

    $DCom = Get-CimInstance -Query "SELECT * from Win32_DCOMApplicationSetting WHERE Description LIKE '$ComponentName%'"

    $GetDescriptor = Invoke-CimMethod -InputObject $DCom -MethodName "GetLaunchSecurityDescriptor";

    $ExistingDacl = $GetDescriptor.Descriptor.DACL | Where {$_.Trustee.Name -eq $Username}

    if ($ExistingDacl)
    {
        $ExistingDacl.AccessMask = 11
    }
    else
    {
        $NewAce = New-DComAccessControlEntry -Domain $Domain -Username $Username
        $GetDescriptor.Descriptor.DACL += $NewAce
    }

    Invoke-CimMethod -InputObject $DCom -MethodName "SetLaunchSecurityDescriptor" -Arguments @{Descriptor=$GetDescriptor.Descriptor};
}

function New-DComAccessControlEntry {
    param(
        [Parameter(Mandatory=$true)][string] $Username,
        [string] $Domain
    )

    # Create the Win32_Trustee instance
    $Trustee = New-Object ciminstance $CimSession.GetClass("root/cimv2", "Win32_Trustee")
    $Trustee.Name = $Username
    $Trustee.Domain = $Domain

    # Create the Win32_ACE instance
    $Ace = New-Object ciminstance $CimSession.GetClass("root/cimv2", "Win32_ACE")
    $Ace.AceType = [uint32] [System.Security.AccessControl.AceType]::AccessAllowed
    $Ace.AccessMask = 11
    $Ace.AceFlags = [uint32] [System.Security.AccessControl.AceFlags]::None
    $Ace.Trustee = $Trustee

    $Ace    
}
0
投票

您需要编辑此值的十六进制访问列表:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole DefaultAccessPermission

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole DefaultLaunchPermission

您可以在此处编辑应用程序的十六进制访问列表

HKEY_CLASSES_ROOT\AppID\{...} AccessPermission

HKEY_CLASSES_ROOT\AppID\{...} LaunchPermission

我没有找到直接通过 PowerShell 执行此操作的方法,但您可以编辑任何虚拟应用程序密钥的访问列表,然后导出此密钥,编辑访问列表并将其导入 Ole Default* 值。

您可以通过 PowerShell 导出、编辑和导入键值。

如果您通过 Regedit 手动执行此操作,结果 .reg 文件可能如下所示(这是 Windows 11 中默认值的备份):

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"DefaultLaunchPermission"=hex:01,00,04,80,5c,00,00,00,6c,00,00,00,00,00,00,00,\
  14,00,00,00,02,00,48,00,03,00,00,00,00,00,14,00,1f,00,00,00,01,01,00,00,00,\
  00,00,05,12,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,00,00,05,20,00,\
  00,00,20,02,00,00,00,00,14,00,1f,00,00,00,01,01,00,00,00,00,00,05,04,00,00,\
  00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,\
  20,00,00,00,20,02,00,00
"DefaultAccessPermission"=hex:01,00,14,80,78,00,00,00,84,00,00,00,14,00,00,00,\
  30,00,00,00,02,00,1c,00,01,00,00,00,11,00,14,00,04,00,00,00,01,01,00,00,00,\
  00,00,10,00,10,00,00,02,00,48,00,03,00,00,00,00,00,14,00,07,00,00,00,01,01,\
  00,00,00,00,00,05,0a,00,00,00,00,00,18,00,07,00,00,00,01,02,00,00,00,00,00,\
  05,20,00,00,00,20,02,00,00,00,00,14,00,03,00,00,00,01,01,00,00,00,00,00,05,\
  12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,\
  00,00,00
-1
投票

您可以更改此脚本:https://gallery.technet.microsoft.com/scriptcenter/Grant-Revoke-Get-DCOM-22da5b96。它使用注册表路径“HKCR:\AppID\$ApplicationID”和注册表项“AccessPermission”、“LaunchPermission”来处理应用程序权限。

您应该使用注册表路径“HKLM:SOFTWARE\Microsoft\Ole”和注册表项“DefaultAccessPermission”、“DefaultLaunchPermission”、“MachineAccessRestriction”、“MachineLaunchRestriction”。

“配置远程 DCOM”章节中的更多信息:https://books.google.ru/books?id=rbpNppFdipkC&pg=PT211&lpg=PT211&dq=dcom+grant+local+launch+permission+powershell&source=bl&ots=5ZfeVca5NA&sig=9lMN_VeymG8cf73KT062QTsWWkc&hl= ru&sa=X&ved=0ahUKEwikn73f6YLcAhVEDSwKHUftCwkQ6AEIfDAI#v=onepage&q&f=true

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.