Merged PR 9168: Disable Enter-PSHostProcess cmdlet when system in lock down mode

This is based on an issue, where Enter-PSHostProcess on a locked down (WDAC enforced) machine allows any admin to connect to any another local hosted PowerShell process and execute commands as that user. This amounts to privilege escalation on the policy locked down machine and something we want to prevent. Fix is to check for system lock down and disable Enter-PSHostProcess cmdlet with an error message.
2019-07-16 00:49:24 +00:00 · 2019-07-16 00:49:24 +00:00 · 7dfcff9287
commit 7dfcff9287
parent aeb8f37822
3 changed files with 42 additions and 0 deletions
--- a/src/System.Management.Automation/engine/remoting/commands/EnterPSHostProcessCommand.cs
+++ b/src/System.Management.Automation/engine/remoting/commands/EnterPSHostProcessCommand.cs
@ -13,6 +13,7 @@ using System.Management.Automation.Host;
 using System.Management.Automation.Internal;
 using System.Management.Automation.Remoting;
 using System.Management.Automation.Runspaces;
+using System.Management.Automation.Security;
 using System.Text;

 namespace Microsoft.PowerShell.Commands
@ -126,6 +127,19 @@ namespace Microsoft.PowerShell.Commands
        /// </summary>
        protected override void EndProcessing()
        {
+            // Check if system is in locked down mode, in which case this cmdlet is disabled.
+            if (SystemPolicy.GetSystemLockdownPolicy() == SystemEnforcementMode.Enforce)
+            {
+                WriteError(
+                    new ErrorRecord(
+                        new PSSecurityException(RemotingErrorIdStrings.EnterPSHostProcessCmdletDisabled),
+                        "EnterPSHostProcessCmdletDisabled",
+                        ErrorCategory.SecurityError,
+                        null));
+
+                return;
+            }
+
            // Check for host that supports interactive remote sessions.
            _interactiveHost = this.Host as IHostSupportsInteractiveSession;
            if (_interactiveHost == null)
--- a/src/System.Management.Automation/resources/RemotingErrorIdStrings.resx
+++ b/src/System.Management.Automation/resources/RemotingErrorIdStrings.resx
@ -1684,4 +1684,7 @@ All WinRM sessions connected to PowerShell session configurations, such as Micro
  <data name="PSCoreRemotingEnableWarning" xml:space="preserve">
    <value>PowerShell remoting has been enabled only for PowerShell 6+ configurations and does not affect Windows PowerShell remoting configurations. Run this cmdlet in Windows PowerShell to affect all PowerShell remoting configurations.</value>
  </data>
+  <data name="EnterPSHostProcessCmdletDisabled" xml:space="preserve">
+    <value>Enter-PSHostProcess cmdlet is disabled because an application control policy such as 'AppLocker' or 'Windows Defender Application Control' is in enforcement.</value>
+  </data>
 </root>
--- a/test/powershell/Modules/Microsoft.PowerShell.Security/ConstrainedLanguageRestriction.Tests.ps1
+++ b/test/powershell/Modules/Microsoft.PowerShell.Security/ConstrainedLanguageRestriction.Tests.ps1
@ -1164,6 +1164,31 @@ try
        }
    }

+    Describe "Enter-PSHostProcess cmdlet should be disabled on locked down systems" -Tags 'Feature','RequireAdminOnWindows' {
+
+        It "Verifies that Enter-PSHostProcess is disabled with lock down policy" {
+
+            $expectedError = $null
+            try
+            {
+                Invoke-LanguageModeTestingSupportCmdlet -SetLockdownMode
+                $ExecutionContext.SessionState.LanguageMode = "ConstrainedLanguage"
+
+                Enter-PSHostProcess -Id 5555 -ErrorAction Stop
+            }
+            catch
+            {
+                $expectedError = $_
+            }
+            finally
+            {
+                Invoke-LanguageModeTestingSupportCmdlet -RevertLockdownMode -EnableFullLanguageMode
+            }
+
+            $expectedError.FullyQualifiedErrorId | Should -BeExactly 'EnterPSHostProcessCmdletDisabled,Microsoft.PowerShell.Commands.EnterPSHostProcessCommand'
+        }
+    }
+
    # End Describe blocks
 }
 finally