No description, website, or topics provided.
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
LICENSE
README.md
SCManager.cat
SCManager.psd1
SCManager.psm1

README.md

SCManager PowerShell Module

SCManager module was designed to help disable remote Service Controller enumeration.

Table of Contents

Intent

John Lambert showed on twitter how the Service Controller (SC) Manager can be hardened to block remote use of PSEXEC or similar tools.

This module is most of the time a wrapper around the sc.exe, to avoid to have to restart the computer for changes to apply.

The Set-SCManagerPermission adds a Deny to the network service (NT AUTHORITY\NETWORK, S-1-5-2).

Permissions cannot be set directly because they aren't always the same. It depends both on the version of Windows and what you run on the server or computer.

Permissions, their binary format of the Security Descriptor Definition Language (SDDL) string are stored the Security value under the key HKLM\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder\Security. The value doesn't exist by default.

Usage

Install the module

# Check the mmodule on powershellgallery.com
Find-Module -Name SCManager -Repository PSGallery
Version    Name                                Repository           Description
-------    ----                                ----------           -----------
1.0.1      SCManager                           PSGallery            SCManager is a module that will help disable
# Save the module locally in Downloads folder
Save-Module -Name SCManager -Repository PSGallery -Path ~/Downloads

Stop and please review the content of the module, I mean the code to make sure it's trustworthy :-)

You can also verify that the SHA256 hashes of downloaded files match those stored in the catalog file

$HT = @{
    CatalogFilePath = "~/Downloads/SCManager/1.0.1/SCManager.cat"
    Path = "~/Downloads/SCManager/1.0.1"
    Detailed = $true
    FilesToSkip = 'PSGetModuleInfo.xml'
}
Test-FileCatalog @HT
# Make sure the catalog file is digitally signed
Get-AuthenticodeSignature "~/Downloads/SCManager/1.0.1/SCManager.cat"
# Make sure the manifest (.psd1) and the module (*.psm1) are signed as well
Get-ChildItem -Path ~/Downloads/SCManager -Include *.ps?1 -Recurse | Get-AuthenticodeSignature
# Import the module
Import-Module ~/Downloads/SCManager/1.0.1/SCManager.psd1 -Force -Verbose

Check the command available

Get-Command -Module SCManager
CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Function        Get-SCManagerPermission                            1.0.1      SCManager
Function        Restore-SCManagerPermission                        1.0.1      SCManager
Function        Set-SCManagerPermission                            1.0.1      SCManager

Get-SCManagerPermission

 Get-Help Get-SCManagerPermission -Full

NAME
    Get-SCManagerPermission

SYNOPSIS
    Get the current SC Manager permissions


SYNTAX
    Get-SCManagerPermission [<CommonParameters>]


DESCRIPTION
    Get the current SC Manager permissions


PARAMETERS
    <CommonParameters>
        This cmdlet supports the common parameters: Verbose, Debug,
        ErrorAction, ErrorVariable, WarningAction, WarningVariable,
        OutBuffer, PipelineVariable, and OutVariable. For more information, see
        about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216).

INPUTS

OUTPUTS

    -------------------------- EXAMPLE 1 --------------------------

    PS C:\>Get-SCManagerPermission






    -------------------------- EXAMPLE 2 --------------------------

    PS C:\>Get-SCManagerPermission |

    Select Transl*,Secu*,AccessMask,AceType | ft -AutoSize





RELATED LINKS

Set-SCManagerPermission

 Get-Help Set-SCManagerPermission -Full

NAME
    Set-SCManagerPermission

SYNOPSIS
    Set the hardened SC Manager permissions


SYNTAX
    Set-SCManagerPermission [-WhatIf] [-Confirm] [<CommonParameters>]


DESCRIPTION
    Set the hardened SC Manager permissions by adding AccessDenied to NT AUTHORITY\NETWORK


PARAMETERS
    -WhatIf [<SwitchParameter>]

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?       false
        Accept wildcard characters?  false

    -Confirm [<SwitchParameter>]

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?       false
        Accept wildcard characters?  false

    <CommonParameters>
        This cmdlet supports the common parameters: Verbose, Debug,
        ErrorAction, ErrorVariable, WarningAction, WarningVariable,
        OutBuffer, PipelineVariable, and OutVariable. For more information, see
        about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216).

INPUTS

OUTPUTS

    -------------------------- EXAMPLE 1 --------------------------

    PS C:\>Set-SCManagerPermission -Whatif






    -------------------------- EXAMPLE 2 --------------------------

    PS C:\>Set-SCManagerPermission -Verbose -Confirm:$false







RELATED LINKS

Restore-SCManagerPermission

Get-Help Restore-SCManagerPermission -Full

NAME
    Restore-SCManagerPermission

SYNOPSIS
    Restore the default SC Manager permissions


SYNTAX
    Restore-SCManagerPermission [-WhatIf] [-Confirm] [<CommonParameters>]


DESCRIPTION
    Restore the default SC Manager permissions by removing AccessDenied to NT AUTHORITY\NETWORK


PARAMETERS
    -WhatIf [<SwitchParameter>]

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?       false
        Accept wildcard characters?  false

    -Confirm [<SwitchParameter>]

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?       false
        Accept wildcard characters?  false

    <CommonParameters>
        This cmdlet supports the common parameters: Verbose, Debug,
        ErrorAction, ErrorVariable, WarningAction, WarningVariable,
        OutBuffer, PipelineVariable, and OutVariable. For more information, see
        about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216).

INPUTS

OUTPUTS

    -------------------------- EXAMPLE 1 --------------------------

    PS C:\>Restore-SCManagerPermission -Whatif






    -------------------------- EXAMPLE 2 --------------------------

    PS C:\>Restore-SCManagerPermission -Verbose -Confirm:$false







RELATED LINKS

Issues

  • None

Todo

Coding best practices

  • Use PSScriptAnalyzer module to validate the code follows best practices
  • Write Pester tests for this module

Credits

Thanks go to: