Solved

Block a Specific Snapin?

Posted on 2015-02-23
2
50 Views
Last Modified: 2015-02-27
Is anyone familiar with a way to block a specific PowerShell Snapin from being loaded?  Basically I have an Exchange 2010 script that won't run properly through an imported implicit remote session.  It will work fine if the admin tools are installed and we use the typical Connect-ExchangeServer to import the cmdlets.  The problem is this also gives the user access to Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010.  Loading the commands in this way bypasses RBAC and thus gives the operator access to commands outside their assigned RBAC roles.
0
Comment
Question by:nashiooka
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 500 total points
ID: 40626114
If the user is a local administrator on the machine there is really no way around this. When users import the modules or snapins into the session they should only be able to access cmdlets that their account has rights to. So if someone with no Exchange Admin rights when they type in the cmdlet Get-Mailbox it will error back stating that this cmdlet does not exist because they do not have permissions to it.

This happens even after the module / snapin has been imported into the session.

Will.
0
 
LVL 10

Author Comment

by:nashiooka
ID: 40626171
I appreciate your reply.  Loading the local snapin bypasses RBAC.  RBAC is not the same as ACL based permissions that may be on the underlying AD objects, but of course I don't want to test my ACL's by making inappropriate commands visible.  I view that as a violation of least privilege and an unnecessary risk.
0

Featured Post

Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
A brief introduction to what I consider to be the best editor for PowerShell.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question