SecurityPolicyDsc
SecurityPolicyDsc copied to clipboard
dsccommunity
Error handling of SID translation and manual translation for Domain Controllers
Running the DC GPO setting against a DC will prompt you with errors regarding translating security ID. Troubleshooting turns out that a DC can't resolve S-1-5-90-0 ("Window Manager\Window Manager Group"). This piece of code introduce error handling plus a manual translation for the SID for "Window Manager\Window Manager Group".
This change is 
Codecov Report
Merging #74 into dev will decrease coverage by
<1%. The diff coverage is40%.
@@ Coverage Diff @@
## dev #74 +/- ##
=================================
- Coverage 81% 80% -1%
=================================
Files 5 5
Lines 417 420 +3
=================================
Hits 338 338
- Misses 79 82 +3
This needs to be merged...serious problem, causing DSC application to fail, and is referenced in other issues.
I would suggest perhaps resolving other SIDs locally as per https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1#L918
e.g. (version below includes more mappings)
try {
$SID2 = $SID.trim('*')
# try to resolve any built-in SIDs first
# from https://support.microsoft.com/en-us/kb/243330
# and https://technet.microsoft.com/en-us/library/ff730937.aspx
switch -regex ($SID2) {
'^S-1-0$' { 'Null Authority' }
'^S-1-0-0$' { 'Nobody' }
'^S-1-1$' { 'World Authority' }
'^S-1-1-0$' { 'Everyone' }
'^S-1-2$' { 'Local Authority' }
'^S-1-2-0$' { 'Local' }
'^S-1-2-1$' { 'Console Logon ' }
'^S-1-3$' { 'Creator Authority' }
'^S-1-3-0$' { 'Creator Owner' }
'^S-1-3-1$' { 'Creator Group' }
'^S-1-3-2$' { 'Creator Owner Server' }
'^S-1-3-3$' { 'Creator Group Server' }
'^S-1-3-4$' { 'Owner Rights' }
'^S-1-4$' { 'Non-unique Authority' }
'^S-1-5$' { 'NT Authority' }
'^S-1-5-1$' { 'Dialup' }
'^S-1-5-2$' { 'Network' }
'^S-1-5-3$' { 'Batch' }
'^S-1-5-4$' { 'Interactive' }
'^S-1-5-6$' { 'Service' }
'^S-1-5-7$' { 'Anonymous' }
'^S-1-5-8$' { 'Proxy' }
'^S-1-5-9$' { 'Enterprise Domain Controllers' }
'^S-1-5-10$' { 'Principal Self' }
'^S-1-5-11$' { 'Authenticated Users' }
'^S-1-5-12$' { 'Restricted Code' }
'^S-1-5-13$' { 'Terminal Server Users' }
'^S-1-5-14$' { 'Remote Interactive Logon' }
'^S-1-5-15$' { 'This Organization ' }
'^S-1-5-17$' { 'This Organization ' }
'^S-1-5-18$' { 'Local System' }
'^S-1-5-19$' { 'NT Authority' }
'^S-1-5-20$' { 'NT Authority' }
'^S-1-5-80-0$' { 'All Services' }
'^S-1-5-90-0$' { 'Window Manager\Window Manager Group' }
'^S-1-5-113$' { 'Local Accounts' }
'^S-1-5-114$' { 'Local Account Administrators' }
'^S-1-5-1000$' { 'Other Organisation' }
'^S-1-15-2-1$' { 'All Application Packages' }
'^S-1-5-32-544$' { 'BUILTIN\Administrators' }
'^S-1-5-32-545$' { 'BUILTIN\Users' }
'^S-1-5-32-546$' { 'BUILTIN\Guests' }
'^S-1-5-32-547$' { 'BUILTIN\Power Users' }
'^S-1-5-32-548$' { 'BUILTIN\Account Operators' }
'^S-1-5-32-549$' { 'BUILTIN\Server Operators' }
'^S-1-5-32-550$' { 'BUILTIN\Print Operators' }
'^S-1-5-32-551$' { 'BUILTIN\Backup Operators' }
'^S-1-5-32-552$' { 'BUILTIN\Replicators' }
'^S-1-5-32-554$' { 'BUILTIN\Pre-Windows 2000 Compatible Access' }
'^S-1-5-32-555$' { 'BUILTIN\Remote Desktop Users' }
'^S-1-5-32-556$' { 'BUILTIN\Network Configuration Operators' }
'^S-1-5-32-557$' { 'BUILTIN\Incoming Forest Trust Builders' }
'^S-1-5-32-558$' { 'BUILTIN\Performance Monitor Users' }
'^S-1-5-32-559$' { 'BUILTIN\Performance Log Users' }
'^S-1-5-32-560$' { 'BUILTIN\Windows Authorization Access Group' }
'^S-1-5-32-561$' { 'BUILTIN\Terminal Server License Servers' }
'^S-1-5-32-562$' { 'BUILTIN\Distributed COM Users' }
'^S-1-5-32-569$' { 'BUILTIN\Cryptographic Operators' }
'^S-1-5-32-573$' { 'BUILTIN\Event Log Readers' }
'^S-1-5-32-574$' { 'BUILTIN\Certificate Service DCOM Access' }
'^S-1-5-32-575$' { 'BUILTIN\RDS Remote Access Servers' }
'^S-1-5-32-576$' { 'BUILTIN\RDS Endpoint Servers' }
'^S-1-5-32-577$' { 'BUILTIN\RDS Management Servers' }
'^S-1-5-32-578$' { 'BUILTIN\Hyper-V Administrators' }
'^S-1-5-32-579$' { 'BUILTIN\Access Control Assistance Operators' }
'^S-1-5-32-580$' { 'BUILTIN\Access Control Assistance Operators' }
'^S-1-5-21-\d+-\d+-\d+-500$' { 'Administrator' }
'^S-1-5-21-\d+-\d+-\d+-501$' { 'Guest' }
default {
$Obj = (New-Object System.Security.Principal.SecurityIdentifier($SID2))
$Obj.Translate( [System.Security.Principal.NTAccount]).Value
}
}
} catch {
Write-Verbose "Invalid SID: $SID"
$SID
}
Just ran into this issue. This happened for me when resolving a user from a different domain.
@hackjammer is right. Looks like it's failing for me on resolving Built-In Account Sids like the "Administrators Group"
Here is the code that iterates through all of the privilege rights
Switch($Area)
{
"USER_RIGHTS"
{
$returnValue = @{}
$privilegeRights = $policyConfiguration.'Privilege Rights'
foreach ($key in $privilegeRights.keys )
{
$identity = ConvertTo-LocalFriendlyName -Identity $($privilegeRights[$key] -split ",").Trim()
$returnValue.Add( $key,$identity )
}
continue
}
Default
{
$returnValue = $policyConfiguration
}
}
And here is the example output of Sids that will get translated
[DBG]: PS C:\windows\system32>> $policyConfiguration.'Privilege Rights'
Name Value
---- -----
SeLoadDriverPrivilege S-1-5-32-544
SeImpersonatePrivilege S-1-5-19,S-1-5-20,S-1-5-32-544,S-1-5-32-568,S-1-5-6
SeSystemtimePrivilege S-1-5-19,S-1-5-32-544
SeDelegateSessionUserImpers... S-1-5-32-544
SeTakeOwnershipPrivilege S-1-5-32-544
SeShutdownPrivilege S-1-5-32-544,S-1-5-32-551
SeBackupPrivilege S-1-5-32-544,S-1-5-32-551
SeRemoteInteractiveLogonRight S-1-5-32-544,S-1-5-32-555
SeIncreaseQuotaPrivilege S-1-5-19,S-1-5-20,S-1-5-32-544,S-1-5-82-271721585-897601226-2024613209-625570482-296978595,S-1-5-82-3876422241-1344743610-1729199087-774402673-2621913236
SeSecurityPrivilege S-1-5-32-544
SeDebugPrivilege S-1-5-32-544
SeServiceLogonRight S-1-5-21-329068152-1060284298-839522115-18738,S-1-5-21-329068152-1060284298-839522115-20114,S-1-5-80-0
SeIncreaseWorkingSetPrivilege S-1-5-32-545
SeIncreaseBasePriorityPrivi... S-1-5-32-544
SeUndockPrivilege S-1-5-32-544
SeBatchLogonRight S-1-5-32-544,S-1-5-32-551,S-1-5-32-559,S-1-5-32-568
SeTimeZonePrivilege S-1-5-19,S-1-5-32-544
SeInteractiveLogonRight S-1-5-32-544,S-1-5-32-545,S-1-5-32-551
SeCreatePagefilePrivilege S-1-5-32-544
SeRestorePrivilege S-1-5-32-544,S-1-5-32-551
SeSystemProfilePrivilege S-1-5-32-544,S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420
SeCreateGlobalPrivilege S-1-5-19,S-1-5-20,S-1-5-32-544,S-1-5-6
SeAssignPrimaryTokenPrivilege S-1-5-19,S-1-5-20,S-1-5-82-271721585-897601226-2024613209-625570482-296978595,S-1-5-82-3876422241-1344743610-1729199087-774402673-2621913236
SeRemoteShutdownPrivilege S-1-5-32-544
SeNetworkLogonRight S-1-1-0,S-1-5-32-544,S-1-5-32-545,S-1-5-32-551
SeManageVolumePrivilege S-1-5-32-544
SeAuditPrivilege S-1-5-19,S-1-5-20,S-1-5-82-271721585-897601226-2024613209-625570482-296978595,S-1-5-82-3876422241-1344743610-1729199087-774402673-2621913236
SeProfileSingleProcessPrivi... S-1-5-32-544
SeCreateSymbolicLinkPrivilege S-1-5-32-544
SeSystemEnvironmentPrivilege S-1-5-32-544
SeChangeNotifyPrivilege S-1-1-0,S-1-5-19,S-1-5-20,S-1-5-32-544,S-1-5-32-545,S-1-5-32-551
Reviewed 1 of 1 files at r1. Review status: all files reviewed at latest revision, all discussions resolved, some commit checks failed.
DSCResources/SecurityPolicyResourceHelper/SecurityPolicyResourceHelper.psm1, line 341 at r1 (raw file):
{ #Domain Controllers can't translate SID S-1-5-90-0 if($id -match "S-1-5-90-0")
Running this I get the expected result without this change. In what scenario(s) does this fail to return the correct value?
PS > $id = [System.Security.Principal.SecurityIdentifier] 'S-1-5-90-0'
PS > $id.Translate([System.Security.Principal.NTAccount])
Value
-----
Window Manager\Window Manager Group
Comments from Reviewable
For reference: This changes is also partly implemented in PR #72, and being discussed in issue #78.
Note: This PR continues the work from PR #72 by @rdbartram. PR #72 was closed in favor of this PR.
This PR should probably be abandoned because the scenario when a machine cannot resolve "Window Manager\Window Manager Group" is when the group does not exist, such as Sever Core. On a server OS with a desktop it can translate the identity as expected. There are issues with identities that cannot be translated but I don't think this fits in that scenario.
I suggest to keep this issue open until the problem has been resolved, either through this PR or through another PR.
My PR #72 was not to do with nano server rather SIDs belonging to objects that no longer exist in AD. This extends also to SIDs that can't be resolved because the resolve is executed under an account that doesn't have access to resolve said SID. Think local user against domain, foreign domain, one way trust etc
@rdbartram I think that is discussed in issue #78? If not, please make sure that is part of that discussion. 🙂
Labeling this pull request (PR) as abandoned since it has gone 14 days or more since the last update. An abandoned PR can be continued by another contributor. The abandoned label will be removed if work on this PR is taken up again.
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}
@hackjammer can you give me an update on this problem?
Could you describe what you do to reproduce this issue?
To my knowledge the issue with SID translation has been fixed with PR #97. This PR was opened to handle the absence of "Window Manager\Window Manager Group" which doesn't exist unless the Server has a desktop.