locked
How to restrict local Powershell user RRS feed

  • Question

  • I would like to restrict the Powershell commands available to a local domain user account running a service on a server, similar to what is described for remoting users here: http://www.petri.co.il/powershell-remoting-restricting-user-commands.htm#

    Ideally, I would restrict the service account to only being able to execute functions defined within 1 or 2 signed modules.

    The reason I want to do this is that I'm setting up an Octopus Tentacle service running under a domain user account, and I would like to limit the behaviors available to powershell deployment tasks run on that specific server by that Tentacle service account.

    I've toyed with the idea of remoting to the local machine, and assigning a new, restricted identity, using stored credentials, and/or a variety of other things, but really it would be simplest just to restrict the local service to only being able to run a select number of pre-defined, signed Powershell modules. Since the service account has network access to other folders, it is necessary to prevent users from loading a signed script to a fileshare and referencing it externally.

    Any ideas?

    • Moved by Bill_Stewart Sunday, June 29, 2014 6:20 PM Abandoned
    Monday, February 24, 2014 4:46 PM

Answers

  • You can restrict any loadable module as a whole module by denying the user read access to the module folder.  You cannot do this for parts of the module or for base commands.


    ¯\_(ツ)_/¯

    • Marked as answer by e-a-m Thursday, December 31, 2015 9:12 PM
    Tuesday, February 25, 2014 10:24 PM

All replies

  • There is no way to do this.  In Windows we restrict by account permissions and not by changing how programs run.

    ¯\_(ツ)_/¯

    Monday, February 24, 2014 8:14 PM
  • Thanks for the response jrv!

    What is strange to me is that the profile-based restrictions for remote users are able to accomplish exactly what it is I want to do. So, while I generally understand what you mean, clearly the MS team has seen the need to provide for granular control over the PowerShell environment for remote users, and even local users in some cases (e.g. Invoke-Expression).

    I suspect you are correct, I just don't want to abandon the though prematurely, as other approaches are much more difficult in this particular circumstance. I will try to follow up with another resource and post back here if I discover anything useful.

    Tuesday, February 25, 2014 9:36 PM
  • You can restrict any loadable module as a whole module by denying the user read access to the module folder.  You cannot do this for parts of the module or for base commands.


    ¯\_(ツ)_/¯

    • Marked as answer by e-a-m Thursday, December 31, 2015 9:12 PM
    Tuesday, February 25, 2014 10:24 PM