Harden role/service modules: self-destruct task cleanup + honest reporting (v1.121.13)#81
Merged
Merged
Conversation
…rting (v1.121.13)
Fixes from an adversarial audit of the ADCS, scheduled-task, WSUS, and RDS modules.
47-ExitCleanup.ps1:
- The self-destruct now also unregisters the tool's OTHER SYSTEM/Highest scheduled
tasks (${ToolName}-ScheduledExport, ${ToolName}_UpdateCheck) whose target binaries
it deletes. They were left registered and firing on schedule against a missing
file -- a privileged persistence remnant (and, for a portable .ps1 run from a
user-writable dir, a SYSTEM phantom-task EoP if the deleted script is recreated).
80-RemoteDesktopServices.ps1:
- The RDS licensing Dry-Run Apply uses -EA Stop (matching the immediate path), so a
failed registry write throws and the commit engine records failure + rolls back,
instead of SilentlyContinue letting a no-op write report 'applied successfully'.
67-WSUS.ps1:
- Set-WSUSDefaultConfiguration returns $false when NO update classification was
enabled -- a WSUS that syncs nothing must not report 'configuration applied'.
63-ScheduledTasks.ps1:
- Task Health no longer flags healthy never-run tasks (0x00041300 / 0x00041303) as
FAILED, matching the guard the sibling Show-FailedTasks already uses.
Audit confirmed the CA setup uses strong crypto (SHA-256, RSA>=2048) and the
certificate-audit + Defender-onboarding paths are correct.
Tests: Section 200 (8 asserts) + widened one distance-tight RDS undo assertion.
Structural 5348/5348; Pester 312/312; PSSA 0. Version stamps -> 1.121.13.
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes from an adversarial audit of the ADCS, certificate-audit, scheduled-task, Defender-onboarding, WSUS, and RDS modules. 0 finder findings were refuted.
Self-destruct leaves no privileged remnants (
47-ExitCleanup.ps1, MED)The self-destruct deleted the tool's own binaries but only unregistered its
Cleanuptask — leaving${ToolName}-ScheduledExportand${ToolName}_UpdateCheck(both SYSTEM / RunLevel Highest) registered and firing on schedule against the now-deleted script/exe. That's a privileged persistence remnant, and — for a portable.ps1run from a user-writable directory (theScheduledExportaction ispowershell.exe -File "<that path>") — a SYSTEM phantom-task EoP if a standard user recreates the deleted script. The post-reboot cleanup now unregisters both of those tasks too.RDS licensing Dry-Run reports real failures (
80, MED)The Dry-Run Apply wrote the policy registry with
-EA SilentlyContinuewhile the immediate path used-EA Stop. Since the Dry-Run commit engine judges success purely by whether Apply throws, a failed write was marked "applied successfully". The Apply now uses-EA Stop.WSUS reports an unusable config as incomplete (
67, LOW)Set-WSUSDefaultConfigurationreturned$trueeven when no update classification matched (the server would sync nothing — the code's own comment calls this "the worst outcome"). It now returns$falseand tells you to fixWSUS.Classifications.Task-health view stops crying wolf (
63, LOW)Healthy never-run tasks (
0x00041300/0x00041303) were shown red as "FAILED"; now "Ready (not yet run)", matching the guard the siblingShow-FailedTasksalready uses.Verified clean (no changes)
Verification