Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Local Policy #1202

Closed
bertrand24 opened this issue Jun 28, 2018 · 9 comments
Closed

Local Policy #1202

bertrand24 opened this issue Jun 28, 2018 · 9 comments
Labels
Issue-Bug
Milestone
7.7.2.0p1-Beta

Comments

@bertrand24
Copy link

Please answer the following

"OpenSSH for Windows" version
7.7.1.0

Server OperatingSystem
Windows Server 2016 Standard

Client OperatingSystem
Windows Server 2016 Standard

Bug ?
in local security policy, (security Policy, Local Policy, User rights Assignement, Log on as Service), I noticed that each ssh Session is added to the policy "log on as service" with a username VIRTUAL USER \ sshd_ <pid_nr>.
when the session is over, this VIRTUAL USER is not removed from the policy
is there a process to clear these entries from the policy ?

Thanks
Bertrand
@gayantd
Copy link

gayantd commented Jun 28, 2018

Agree. I have seen same behavior in Win2008R2.

@NoMoreFood
Copy link

@manojampalam User right assignments are only necessary for initial token generation -- once the process is initiated, it is no longer necessary for the policy to exist; maybe the code could add/remove the policy entry as necessary?

@manojampalam
Copy link
Contributor

manojampalam commented Jun 29, 2018
edited
Loading

@bertrand24 good catch.

We need to add clean up logic. I believe we can remove the assignment right after token generation. We need to have the fix tested in @dwatley 's environment. I was not able to repro the original issue (that mandated this privilege assignment), on my side.

We need to do a LsaRemoveAccountRights after token generation in generate_sshd_virtual_token(). @NoMoreFood do you want to follow up with a fix?

@dwatley
Copy link

dwatley commented Jun 29, 2018

@manojampalam - Happy to test.

@manojampalam manojampalam added this to the vNext milestone Jun 29, 2018
@NoMoreFood
Copy link

@manojampalam Yeah, I'll look into this.

@NoMoreFood NoMoreFood mentioned this issue Jun 30, 2018
Merged
@NoMoreFood
Copy link

Pull request is in. This will address the behavior go-forward; current, orphaned entries will have to be removed manually (you can Shift-Click to select/remove them all in the policy editor).

@gayantd
Copy link

gayantd commented Jun 30, 2018

Awesome !!!
Thanks for quick fix !

@manojampalam
Copy link
Contributor

Changes look good. @dwatley , can you validate the fix on your end please?

manojampalam pushed a commit to PowerShell/openssh-portable that referenced this issue Jul 3, 2018
@NoMoreFood @manojampalam
Cleanup SeServiceLogonRight For Restricted User Account (#328)
856078b 
After creating a user token, the SeServiceLogonRight is now removed from the account so it does not create an orphaned reference in the local security policy.
Other small code changes for code style consistency within the file.

PowerShell/Win32-OpenSSH#1202
@dwatley
Copy link

dwatley commented Jul 9, 2018

@manojampalam - Cleaned up the existing entries and built from master. Works as expected, no issues here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Issue-Bug
Projects
None yet
Milestone
7.7.2.0p1-Beta
Development

No branches or pull requests
6 participants
@dwatley @bingbing8 @NoMoreFood @manojampalam @gayantd @bertrand24