Windows 普通Powershell提示符中的工作命令在PSSession中拒绝访问_Windows_Powershell_Security_Powershell Remoting

Windows 普通Powershell提示符中的工作命令在PSSession中拒绝访问

windows powershell security

Windows 普通Powershell提示符中的工作命令在PSSession中拒绝访问,windows,powershell,security,powershell-remoting,Windows,Powershell,Security,Powershell Remoting,这不是关于不能启动PSSession的问题，而是关于在PSSession中明显不同的访问权限的问题 PS C:\Users\xxxxxxxx> whoami /all USER INFORMATION ---------------- User Name SID ================== =============================================== corporate\xxxxxxxx S-1-5-21-365037674

这不是关于不能启动PSSession的问题，而是关于在PSSession中明显不同的访问权限的问题

PS C:\Users\xxxxxxxx> whoami /all

USER INFORMATION
----------------

User Name          SID
================== ===============================================
corporate\xxxxxxxx S-1-5-21-3650376746-1030869643-1781887868-23610


GROUP INFORMATION
-----------------

Group Name                                 Type             SID                                             Attributes
========================================== ================ =============================================== ===============================================================
Everyone                                   Well-known group S-1-1-0                                         Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                    Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users               Alias            S-1-5-32-555                                    Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\REMOTE INTERACTIVE LOGON      Well-known group S-1-5-14                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE                   Well-known group S-1-5-4                                         Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                        Mandatory group, Enabled by default, Enabled group
LOCAL                                      Well-known group S-1-2-0                                         Mandatory group, Enabled by default, Enabled group
CORPORATE\xxxxxxxx                         User             S-1-5-21-348289982-344025507-1237804090-35554   Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1                                        Mandatory group, Enabled by default, Enabled group
CORPORATE\xxxxxxxxxxxxxxxxxxxxxx_RDP       Alias            S-1-5-21-3650376746-1030869643-1781887868-21634 Mandatory group, Enabled by default, Enabled group, Local Group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== ========
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.
PS C:\Users\xxxxxxxx> enter-pssession localhost

[localhost]: PS C:\Users\xxxxxxxx\Documents> whoami /all

USER INFORMATION
----------------

User Name          SID
================== ===============================================
corporate\xxxxxxxx S-1-5-21-3650376746-1030869643-1781887868-23610


GROUP INFORMATION
-----------------

Group Name                                 Type             SID                                             Attributes
========================================== ================ =============================================== ===============================================================
Everyone                                   Well-known group S-1-1-0                                         Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                    Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users               Alias            S-1-5-32-555                                    Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2                                         Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                        Mandatory group, Enabled by default, Enabled group
CORPORATE\xxxxxxxx                         User             S-1-5-21-348289982-344025507-1237804090-35554   Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1                                        Mandatory group, Enabled by default, Enabled group
CORPORATE\xxxxxxxxxxxxxxxxxxxxxx_RDP       Alias            S-1-5-21-3650376746-1030869643-1781887868-21634 Mandatory group, Enabled by default, Enabled group, Local Group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.

下面的一组命令起作用

启动Powershell提示符

运行

cmd/c sc queryex-WerSvc

以下命令集不起作用

启动Powershell提示符

运行

Enter PSSession localhost

运行

cmd/c sc queryex-WerSvc

我的用户有权执行

sc queryex

，但在PSSession中显然没有。有人知道我应该从哪里开始检查访问权限吗

编辑cudo's to PetSerAl

在标准powershell提示符和PSSession中的

whoami/all

输出下方

PS C:\Users\xxxxxxxx> whoami /all

USER INFORMATION
----------------

User Name          SID
================== ===============================================
corporate\xxxxxxxx S-1-5-21-3650376746-1030869643-1781887868-23610


GROUP INFORMATION
-----------------

Group Name                                 Type             SID                                             Attributes
========================================== ================ =============================================== ===============================================================
Everyone                                   Well-known group S-1-1-0                                         Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                    Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users               Alias            S-1-5-32-555                                    Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\REMOTE INTERACTIVE LOGON      Well-known group S-1-5-14                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE                   Well-known group S-1-5-4                                         Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                        Mandatory group, Enabled by default, Enabled group
LOCAL                                      Well-known group S-1-2-0                                         Mandatory group, Enabled by default, Enabled group
CORPORATE\xxxxxxxx                         User             S-1-5-21-348289982-344025507-1237804090-35554   Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1                                        Mandatory group, Enabled by default, Enabled group
CORPORATE\xxxxxxxxxxxxxxxxxxxxxx_RDP       Alias            S-1-5-21-3650376746-1030869643-1781887868-21634 Mandatory group, Enabled by default, Enabled group, Local Group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== ========
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.
PS C:\Users\xxxxxxxx> enter-pssession localhost

[localhost]: PS C:\Users\xxxxxxxx\Documents> whoami /all

USER INFORMATION
----------------

User Name          SID
================== ===============================================
corporate\xxxxxxxx S-1-5-21-3650376746-1030869643-1781887868-23610


GROUP INFORMATION
-----------------

Group Name                                 Type             SID                                             Attributes
========================================== ================ =============================================== ===============================================================
Everyone                                   Well-known group S-1-1-0                                         Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                    Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users               Alias            S-1-5-32-555                                    Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2                                         Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                        Mandatory group, Enabled by default, Enabled group
CORPORATE\xxxxxxxx                         User             S-1-5-21-348289982-344025507-1237804090-35554   Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1                                        Mandatory group, Enabled by default, Enabled group
CORPORATE\xxxxxxxxxxxxxxxxxxxxxx_RDP       Alias            S-1-5-21-3650376746-1030869643-1781887868-21634 Mandatory group, Enabled by default, Enabled group, Local Group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.

您是否可能启动一个提升的Powershell，然后在

进入PSSession

之后，您将进入一个权限较低的shell

请尝试使用以下行进行检查：

[bool]$isElavated = (New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)

您是否可能启动一个提升的Powershell，然后在

进入PSSession

之后，您将进入一个权限较低的shell

请尝试使用以下行进行检查：

[bool]$isElavated = (New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)

whoami/all

输出显示您使用交互式登录运行PowerShell，而PowerShell远程处理在创建会话时默认使用网络登录。您可以使用

-EnableNetworkAccess

参数使用现有的交互式会话，而不是创建新的网络登录

如果您查看

WerSvc

服务安全描述符（您可以使用

sc.exe sdshow WerSvc

命令执行此操作），您可以看到它为交互式登录授予访问服务的权限，而不为网络登录授予此权限。因此，您可以看到行为上的差异。

whoami/all

输出显示您使用交互式登录来运行PowerShell，而PowerShell远程处理在创建会话时默认使用网络登录。您可以使用

-EnableNetworkAccess

参数使用现有的交互式会话，而不是创建新的网络登录

如果您查看

WerSvc

服务安全描述符（您可以使用

sc.exe sdshow WerSvc

命令执行此操作），您可以看到它为交互式登录授予访问服务的权限，而不为网络登录授予此权限。因此，您可以看到行为上的差异。

TimPe-

（新对象Security.Principal.WindowsPrincipal（[Security.Principal.WindowsIdentity]：：GetCurrent（））.IsInRole（[Security.Principal.WindowsBuiltInRole]：：Administrator）

在powershell提示符（普通和pssession）中返回

false

（新对象Security.Principal.WindowsPrincipal（[Security.Principal.WindowsIdentity]：：GetCurrent（））.IsInRole（[Security.Principal.WindowsBuiltInRole]：：Administrator）在powershell提示符中返回

false

（普通和pssession）在这两种情况下都显示

whoami/all

的输出。@PetSerAl-我已将输出添加到问题中。不幸的是，没有差异。不幸的是，没有差异。什么？在一种情况下，您确实拥有

NT AUTHORITY\INTERACTIVE

。现在，如果您查看

sc sdshow WerSvc

的输出，您将看到这是一点授予访问权限的SID（至少在默认情况下）。您可能可以使用

Enter PSSession localhost-EnableNetworkAccess

使用交互式令牌连接到PowerShell会话。@PetSerAl-现在这很尴尬。我必须比较同一命令的输出：（.谢谢你捕捉到它！。我明天才能测试，我会告诉你的。@PetSerAl-添加

-EnableNetworkAccess

有效。我看不到与正在执行的命令和网络访问的连接：）但是请发布一个答案，这样我就可以投票并接受它。在这两种情况下都显示

whoami/all

的输出。@PetSerAl-我已将输出添加到问题中。不幸的是，没有差异。不幸的是，没有差异。什么？在一种情况下，您确实拥有

NT AUTHORITY\INTERACTIVE

，在另一种情况下，您没有。现在，如果您查看

的输出e> sc sdshow WerSvc

，然后您将看到这是授予访问权限的SID（至少在默认情况下）。您可能可以使用

Enter PSSession localhost-EnableNetworkAccess

使用交互令牌连接到PowerShell会话。@PetSerAl-现在这很尴尬。我必须比较了同一命令的输出：（.谢谢你抓到它！。我明天才能测试，我会告诉你的。@PetSerAl-添加

-EnableNetworkAccess

有效。我看不到与正在执行的命令和网络访问的连接：），但请发布一个答案，以便我可以投票并接受它。