Constrained endpoint on specific user
I'm trying to create a PowerShell endpoint constraint that restricts an user to only execute the functions in a custom module I made.
The first thing I did is import-module mymodule.psm1 which allows me to run my modules fine withing my host system.
Then the following PS command creates the configuration file for the endpoint which allows the functions inside the brackets to be the only functions the user gets to execute.
New-PSSessionConfigurationFile -VisibleFunctions('Get-Command','Get-Info', 'CreateAD-User','Generate-Html','Change-Logon') -LanguageMode ‘ConstrainedLanguage’ –SessionType ‘RestrictedRemoteServer’ –Path ‘c:\test\helpdesk.pssc’
Then I register the endpoint with
Register-PSSessionConfiguration –Name ‘HelpDesk’ -ShowSecurityDescriptorUI –Path ‘c:\test\helpdesk.pssc’
and selected which user I want allow to have these constrains once the SecurityDescriptorUI pops up. Once I log into the user that I set up the constrains for with
Enter-PSSession -computername SRV1-AD -Credential $credential -ConfigurationName HelpDesk
These are the allowed cmdlets / functions that the user is allowed to execute. These are the default required cmdlets to allow remote connections into a system.
How can I allow my custom module to be the only functions the endpoint allows users to execute? or How can I import my module into configuration file so it executes every time the HelpDesk end point configuration is used. I know that in the configuration file there's a line to import modules but Import-Module is not actually a module an example of a module would be ActiveDirectory, if I'm able to find what module import-module is a part of I think I should be able to do a quick and dirty work around for this.
UPDATE
A dirty solution I found for this was to enter into the user's session and disable all cmdlets / functions except the ones I want to allowed for example import-module & Get-Command with import-module I can manually import my custom module and my functions will be the only ones visible to user. But this is not a perfect solution because this means that I would need to download my module into every system I want this to take effect and it's no longer a one to many solution. The ideal solution is to have my module locally stored, enter into a session with the registered end point and have my module already imported into the users account.
Enter-PSSession -computername SRV1-AD -Credential $credential -ConfigurationName HelpDesk
Further Update
User @prasoon-karunan-v suggested I used -ScriptsToProcess & FunctionDefinitions to import the module so I used the following command
New-PSSessionConfigurationFile -VisibleFunctions('Get-Command','Get-Info', 'CreateAD-User','Generate-Html','Change-Logon') -LanguageMode ‘ConstrainedLanguage’ –SessionType ‘RestrictedRemoteServer’ –Path ‘.\EndPoint.pssc’ -ScriptsToProcess C:\Users\Administrator\Desktop\Modules\ImportM.psm1
In the configuration file I also set the functions I want to use like so
# Functions defined in this session configuration
FunctionDefinitions = 'Get-Command','Get-Info', 'CreateAD-User','Generate-Html','Change-Logon'
When I tried to establish a session it would throw the following error
Then I thought maybe it's not working because were not telling the command to import anything were just pointing to the module file, so maybe I need to create a small script that imports the module then add it the configuration file. So that's exactly what I did I created a small script with just,
import-module C:\Modules\ImportM.psm1 and then I went over to the .pssc
file and added this script to the ScriptsToProcess but I get the following error after I try to establish a session to the constrained endpoint.
Language Mode is set to
LanguageMode = 'RestrictedLanguage'
use -ScriptsToProcess parameter, which can be used to import your custom module.
See below as well.
Get-Help New-PSSessionConfigurationFile -Parameter ScriptsToProcess
Get-Help New-PSSessionConfigurationFile -Parameter FunctionDefinitions
Update:
Be sure about the language mode to use, see here
- `Invoke-Conda` cannot catch any arguments after powershell 7.5.0 update
- How to `Import-Module` in PowerShell to parent session/process?
- close and 'save as' for 100 of MS Paint files at once?
- Powershell profile.ps1 cannot be loaded because its operation is blocked by software restriction policies
- How can I capture the value of an untranslated SID in a Try/Catch code block?
- PowerShell .Count returns 1 on empty array
- How can I filter out text twice in Powershell?
- SharePoint | Delete Version History using PnP PowerShell
- WinRM cannot complete the operation. Verify that the specified computer name is valid
- Using start-process in a loop, where some programs will have arguments and some don't; Way to not have if $Arguments -ne $null
- How can I set left/right column justification in Powershell's "format-table"
- Invalid operands found for operator -eq
- Detect when user cancels $host.ui.promptforchoice prompt
- How can I make sure Powershell will correctly render all non-latin characters into the output?
- How can I choose between $MyInvocation.ScriptName and $MyInvocation.PSCommandPath in PowerShell?
- Azure pipeline template: dynamically retrieve and story keyvault secrets
- Maintaining property order with get-member
- PowerShell - Return an array of all possible properties for an ADObject
- List objects vs. Arrays in PowerShell
- Run Invoke-Command in remote computer as administrator
- Authenticate to Azure with certificate from Linux
- How to recursively append to file name in powershell?
- Mapped network drives are not showing in My Computer
- Delete files in a folder except a list of extensions I specify
- How to open 'This PC' using CMD or Powershell?
- transfer the files from sub folder and sub folders recursively without specifying the folder name
- Im creating a VM using terraform code in GCP. I would like to inject a script that runs when the vm is created upon startup
- Remove-ItemProperty does not seem to work with -LiteralPath
- How can I elevate Powershell while keeping the current working directory AND maintain all parameters passed to the script?
- How do I remove or replace a built in alias in powershell?