Skip to content

Harden role/service modules: self-destruct task cleanup + honest reporting (v1.121.13)#81

Merged
TheAbider merged 1 commit into
masterfrom
fix/role-service-hardening
Jul 1, 2026
Merged

Harden role/service modules: self-destruct task cleanup + honest reporting (v1.121.13)#81
TheAbider merged 1 commit into
masterfrom
fix/role-service-hardening

Conversation

@TheAbider

Copy link
Copy Markdown
Owner

Fixes from an adversarial audit of the ADCS, certificate-audit, scheduled-task, Defender-onboarding, WSUS, and RDS modules. 0 finder findings were refuted.

Self-destruct leaves no privileged remnants (47-ExitCleanup.ps1, MED)

The self-destruct deleted the tool's own binaries but only unregistered its Cleanup task — leaving ${ToolName}-ScheduledExport and ${ToolName}_UpdateCheck (both SYSTEM / RunLevel Highest) registered and firing on schedule against the now-deleted script/exe. That's a privileged persistence remnant, and — for a portable .ps1 run from a user-writable directory (the ScheduledExport action is powershell.exe -File "<that path>") — a SYSTEM phantom-task EoP if a standard user recreates the deleted script. The post-reboot cleanup now unregisters both of those tasks too.

RDS licensing Dry-Run reports real failures (80, MED)

The Dry-Run Apply wrote the policy registry with -EA SilentlyContinue while the immediate path used -EA Stop. Since the Dry-Run commit engine judges success purely by whether Apply throws, a failed write was marked "applied successfully". The Apply now uses -EA Stop.

WSUS reports an unusable config as incomplete (67, LOW)

Set-WSUSDefaultConfiguration returned $true even when no update classification matched (the server would sync nothing — the code's own comment calls this "the worst outcome"). It now returns $false and tells you to fix WSUS.Classifications.

Task-health view stops crying wolf (63, LOW)

Healthy never-run tasks (0x00041300 / 0x00041303) were shown red as "FAILED"; now "Ready (not yet run)", matching the guard the sibling Show-FailedTasks already uses.

Verified clean (no changes)

  • The Certificate Authority setup uses strong crypto (SHA-256, RSA ≥ 2048); the certificate-audit and Defender-onboarding paths are correct.

Verification

  • New Section 200 (8 asserts) + widened one distance-tight RDS undo assertion. Structural 5348/5348; full Pester 312/312; PSSA 0. Monolithic rebuilt, parse check passed. Version → 1.121.13.

…rting (v1.121.13)

Fixes from an adversarial audit of the ADCS, scheduled-task, WSUS, and RDS modules.

47-ExitCleanup.ps1:
- The self-destruct now also unregisters the tool's OTHER SYSTEM/Highest scheduled
  tasks (${ToolName}-ScheduledExport, ${ToolName}_UpdateCheck) whose target binaries
  it deletes. They were left registered and firing on schedule against a missing
  file -- a privileged persistence remnant (and, for a portable .ps1 run from a
  user-writable dir, a SYSTEM phantom-task EoP if the deleted script is recreated).

80-RemoteDesktopServices.ps1:
- The RDS licensing Dry-Run Apply uses -EA Stop (matching the immediate path), so a
  failed registry write throws and the commit engine records failure + rolls back,
  instead of SilentlyContinue letting a no-op write report 'applied successfully'.

67-WSUS.ps1:
- Set-WSUSDefaultConfiguration returns $false when NO update classification was
  enabled -- a WSUS that syncs nothing must not report 'configuration applied'.

63-ScheduledTasks.ps1:
- Task Health no longer flags healthy never-run tasks (0x00041300 / 0x00041303) as
  FAILED, matching the guard the sibling Show-FailedTasks already uses.

Audit confirmed the CA setup uses strong crypto (SHA-256, RSA>=2048) and the
certificate-audit + Defender-onboarding paths are correct.

Tests: Section 200 (8 asserts) + widened one distance-tight RDS undo assertion.
Structural 5348/5348; Pester 312/312; PSSA 0. Version stamps -> 1.121.13.
@TheAbider TheAbider merged commit 3421ad6 into master Jul 1, 2026
6 checks passed
@TheAbider TheAbider deleted the fix/role-service-hardening branch July 1, 2026 15:36
@codecov

codecov Bot commented Jul 1, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant