|
nielsm posted:(Also, fun fact: A base installation of the .NET framework includes a full functioning C# compiler, C:\Windows\Microsoft.NET\Framework\version\csc.exe. Anyone who can create files and run arbitrary programs can use that to compile their own code and do anything PS could be used for.) I think It's pretty easy to just delete csc.exe, though, so maybe don't mention that if you think they might do that.
|
# ? May 21, 2018 21:35 |
|
|
# ? May 15, 2024 04:27 |
|
Realistically, unless you hold a decision-making position in your organization there's not going to be any argument you can make that will allow you to counteract the security team, and if you had any power you wouldn't be asking about it in here. They're probably not blocking PowerShell Core, so that might work for you.
|
# ? May 21, 2018 21:36 |
|
Realistically just work around it and be annoyed at how inconvenient it makes things for no reason.
|
# ? May 21, 2018 21:37 |
|
nielsm posted:This. If PowerShell lets someone do a thing they should not have permissions to do, it's not PowerShell that's at fault. The permissions on the affected thing were set up were wrong to begin with. Bonus being that you can compile a c# executable that just contains and executes some powershell code
|
# ? May 21, 2018 21:58 |
|
Zaepho posted:they're only making life more difficult rather than more secure.
|
# ? May 22, 2018 09:40 |
|
anthonypants posted:Realistically, unless you hold a decision-making position in your organization there's not going to be any argument you can make that will allow you to counteract the security team, and if you had any power you wouldn't be asking about it in here. They're probably not blocking PowerShell Core, so that might work for you. I do hold a decision making role, actually, which is why I'm gathering info. I'm not trying to unblock Powershell for myself, I'm trying to get the whole organization to pull their head out of their rear end so my team can continue patching Windows without users bitching that they're getting weird errors anytime I push poo poo out. I think their major damage is that they can't track/log when arbitrary code gets run, but in my experience, most things called by Powershell end up in the Event Log anyway. We have proactive security and heuristic scanners. Risk can be mitigated.
|
# ? May 22, 2018 16:44 |
|
Dirt Road Junglist posted:I do hold a decision making role, actually, which is why I'm gathering info. I'm not trying to unblock Powershell for myself, I'm trying to get the whole organization to pull their head out of their rear end so my team can continue patching Windows without users bitching that they're getting weird errors anytime I push poo poo out. Whatever your company is afraid of, "blocking" powershell through group policies is probably not actually preventing it, so your options are either 1) go further to actually prevent whatever your trying to prevent, 2) give up and unblock powershell, or 3) pat yourselves on the back for pointlessly "blocking" powershell like you're doing now. mystes fucked around with this message at 16:56 on May 22, 2018 |
# ? May 22, 2018 16:52 |
|
mystes posted:But what's the threat model? Individual users who are knowledgeable enough to set their own executionpolicy to allow execution of powershell scripts are going to accidentally open ps1 files attached to emails? Malware is going to call powershell from the command without bothering to add -executionpolicy bypass? You want to prevent users from executing powershell code but only in noninteractive sessions and only when they don't use -executionpolicy bypass? That's exactly my argument. They can't point to any specific threat vector, no matter how hard we hammer on them to do so. And then there's poo poo like Powershell Empire that can run without using the internal executable...like, what are you protecting us from here? The worst part is that we're using an application whitelisting solution that hard-blocks powershell.exe from running. It's a total shitshow.
|
# ? May 22, 2018 17:07 |
|
Dirt Road Junglist posted:The worst part is that we're using an application whitelisting solution that hard-blocks powershell.exe from running. It's a total shitshow.
|
# ? May 22, 2018 17:25 |
|
Is there any method to replace the first character of the first line of a large file (2GB+) without reading in all the content? In Linux shell sed could do it, but I don't know of an equivalent here.
|
# ? May 30, 2018 16:20 |
|
PierreTheMime posted:Is there any method to replace the first character of the first line of a large file (2GB+) without reading in all the content? In Linux shell sed could do it, but I don't know of an equivalent here.
|
# ? May 30, 2018 16:32 |
|
Assuming it's just ascii or binary or something you should just be able do something like this:code:
|
# ? May 30, 2018 16:49 |
|
mystes posted:Assuming it's just ascii or binary or something you should just be able do something like this: Perfect, I’ll try that. It’s csv data that someone apparently decided needed extra special characters*. I’m getting them to clean up their sloppy code but this is a good interim fix. *Not byte order marks, just random $s and #s.
|
# ? May 30, 2018 17:39 |
|
this thread. Every time someone posts a solution I learn something helpful. Python doesn't open an entire file when preappending text does it?
|
# ? Jun 1, 2018 17:15 |
I'm not sure any filesystem supports prepending data to a file without rewriting the entire file. What the above code does is turn this: 1234567890 into this: x234567890 Same length, just the first byte replaced. When you say "preappending" I think of getting this result instead: x1234567890 That always requires reading the entire file. You won't need to read it all into memory at once, but you will need to read it all off disk and write it all back. (In Unix you can open() the original file, unlink() the name from the inode while keeping the file open, open() the filename again creating a new file, write the data to prepend, then read blocks of the original file and write those to the new file until EOF. When done, close both original files, and the original file really disappears because there's no more links to the inode in form of either names or file handles. I'm not sure if Windows supports something exactly equivalent.)
|
|
# ? Jun 1, 2018 18:21 |
|
Real simple one for y'all cuz I'm super new to PowerShell. I need a script that I can have a scheduled task run that will check to see if a service is running (windows firewall in this case) and send an email if it isn't. I've tested the "send-email" portion which works just fine, I know how to check a service, but I have no idea how to put the two together.
|
# ? Jun 18, 2018 14:36 |
|
scuz posted:Real simple one for y'all cuz I'm super new to PowerShell. I assume you're using Get-Service to check the status? If so, you'd just need an if block that checked (Get-Service MpsSvc).status to see if it was "Running" or something else. code:
code:
Inspector_666 fucked around with this message at 17:22 on Jun 20, 2018 |
# ? Jun 18, 2018 14:55 |
|
Awesome! Thanks, friend. I sure am using "get-service" so this looks great, I'll report back
|
# ? Jun 18, 2018 15:35 |
|
Inspector_666 posted:I assume you're using Get-Service to check the status? If so, you'd just need an if block that checked (Get-Service MpsSvc).status to see if it was "Running" or something else. You're missing a closing " on line 4.
|
# ? Jun 20, 2018 02:25 |
|
PBS posted:You're missing a closing " on line 4. Aha, I see my clever check to make sure people aren't just blindly copy-pasting code into their terminals worked! Whoops, fixed it.
|
# ? Jun 20, 2018 17:23 |
|
Has anyone started using Powershell Core? I'm wondering what use cases it does better than Windows Powershell at this stage.
|
# ? Jun 20, 2018 17:51 |
|
sloshmonger posted:Has anyone started using Powershell Core? I'm wondering what use cases it does better than Windows Powershell at this stage.
|
# ? Jun 20, 2018 18:05 |
|
Does anyone know of a way to define and validate a schema for associative arrays? I've been defining application settings as associative arrays for configuration-as-code-ness during application deployments, then loading them at runtime. Ex: DevSettings.ps1 code:
I'm considering just moving the entire thing over to JSON and doing a ConvertFrom-Json. That makes schema creation and validation easy with Newtonsoft's JSON libraries, and the scripts that actually use the values wouldn't have to change at all.
|
# ? Jun 21, 2018 17:08 |
|
New Yorp New Yorp posted:Does anyone know of a way to define and validate a schema for associative arrays? I've been defining application settings as associative arrays for configuration-as-code-ness during application deployments, then loading them at runtime. Powershell has parameter validation: e.g. https://blogs.technet.microsoft.com/heyscriptingguy/2011/05/15/simplify-your-powershell-script-with-parameter-validation/ code:
|
# ? Jun 21, 2018 19:23 |
|
Bruegels Fuckbooks posted:Powershell has parameter validation: I don't think I explained it well enough. I want to validate the settings files, not the creation of them. Just like you'd get when pushing a JSON or XML file through a schema validator. "Element X isn't defined", "Element Y should be an array, not a string", etc. [edit] I was able to proof of concept doing the whole thing as JSON in about 30 minutes, so it's not a big problem... just rolling it out and convincing them to change formats is going to be annoying.
|
# ? Jun 21, 2018 19:45 |
|
New Yorp New Yorp posted:I was able to proof of concept doing the whole thing as JSON in about 30 minutes, so it's not a big problem... just rolling it out and convincing them to change formats is going to be annoying. Yeah, using JSON for the settings files is the right thing to do in this situation instead of writing a powershell script that contains the settings(!?)
|
# ? Jun 21, 2018 20:07 |
|
Dirt Road Junglist posted:The worst part is that we're using an application whitelisting solution that hard-blocks powershell.exe from running. It's a total shitshow. That sounds horrible. Who's selling that snake oil to the money men?
|
# ? Jul 5, 2018 05:02 |
|
I'm doing some DSC stuff with Azure Automation. I have the basics worked out -- I can upload a configuration, compile it, and onboard a machine. Now I get to certificates. If I get a PFX file on the machine, I can import it with xPfxImport. Cool, that works. However, Azure Automation has a certificate store built in, which I'd like to use. I can upload a certificate. The certificate is there. I can't figure out how to do anything with it in DSC-land. How do I get a certificate out of the AA certificate store and imported on a DSC node? [edit] Also, if I generate a self-signed cert and export it as a PFX, I get an "Access denied" error when trying to import it to Azure Automation Certificates. No clue why, Google isn't helping. New Yorp New Yorp fucked around with this message at 17:47 on Jul 19, 2018 |
# ? Jul 19, 2018 15:33 |
|
code:
New Yorp New Yorp fucked around with this message at 15:21 on Jul 20, 2018 |
# ? Jul 19, 2018 21:49 |
|
Triyah posted:That sounds horrible. Who's selling that snake oil to the money men? It's...complicated. There are multiple EntSec teams who all think they know best, and no amount of data seems to sway them from their misguided goal.
|
# ? Jul 19, 2018 22:00 |
|
Anyone have any suggestions on handling XML templating? I need to build xml requests to interact with an API and don't really feel like code:
|
# ? Jul 23, 2018 22:20 |
|
The Fool posted:Anyone have any suggestions on handling XML templating? Two ways of approaching it are: a) Use string interpolation... e.g. https://kevinmarquette.github.io/2017-01-13-powershell-variable-substitution-in-strings/ code:
Use ConvertTo-XML. That'll serialize any .net object as XML, so if you have a powershell object that looks like your request already, you could just use ConvertTo-XML for the actual serialization.
|
# ? Jul 24, 2018 04:44 |
|
This is probably Powershell 101 but as always with PS I'm having trouble getting fruitful google results. I have a PS script that calls a lot of exe's and cmd's in a sequence, so there's lots of this:code:
code:
|
# ? Jul 25, 2018 17:27 |
|
Eggnogium posted:This is probably Powershell 101 but as always with PS I'm having trouble getting fruitful google results. I have a PS script that calls a lot of exe's and cmd's in a sequence, so there's lots of this: This is off the top of my head, but you can make a function pipeline-aware like this: code:
caveat: may not work, haven't tested
|
# ? Jul 25, 2018 18:17 |
|
Sanity check. I am using VSTS to automate a bunch of stuff. I have some scripts that require having credentials to service accounts. I have this as a preliminary solution, but want to make sure I'm not being totally terrible. I use this function to generate an encrypted string and key: code:
Then I have them available as environment variables in the script that needs the credentials, and can use this function to build a credential object. code:
|
# ? Jul 30, 2018 18:22 |
|
Unless you implement a secrets management solution (e.g. Hashicorp Vault) that is as good as you're going to get and it's certainly far from perfect.
|
# ? Aug 1, 2018 08:18 |
|
The Fool posted:Sanity check. Why can't you just store them as encrypted values in the build/release definition and pass them into the script when running?
|
# ? Aug 1, 2018 14:55 |
|
If I have an XmlDocument object, how do I export it to an xml file? If I use Out-File or Export-CliXml or [xml]$object.Save('C:\path\to\document.xml'), it doesn't encode any of the punctuation into like ' or " which as far as I can tell doesn't conform to standards. It looks like it's correctly encoding > and < and &, so maybe I'm just being paranoid?
|
# ? Aug 3, 2018 01:52 |
Only < > & are "core" to XML, anything else technically has to come from a DTD or other external source. There's nothing wrong with leaving a character unencoded if the meaning is unambigious.
|
|
# ? Aug 3, 2018 07:30 |
|
|
# ? May 15, 2024 04:27 |
|
anthonypants posted:If I have an XmlDocument object, how do I export it to an xml file? If I use Out-File or Export-CliXml or [xml]$object.Save('C:\path\to\document.xml'), it doesn't encode any of the punctuation into like ' or " which as far as I can tell doesn't conform to standards. It looks like it's correctly encoding > and < and &, so maybe I'm just being paranoid? [xml] $foo = '<xml><thing/></xml>' $foo.Save('test.xml')
|
# ? Aug 4, 2018 01:10 |