[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Block a Specific Snapin?

Posted on 2015-02-23
2
Medium Priority
?
54 Views
Last Modified: 2015-02-27
Is anyone familiar with a way to block a specific PowerShell Snapin from being loaded?  Basically I have an Exchange 2010 script that won't run properly through an imported implicit remote session.  It will work fine if the admin tools are installed and we use the typical Connect-ExchangeServer to import the cmdlets.  The problem is this also gives the user access to Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010.  Loading the commands in this way bypasses RBAC and thus gives the operator access to commands outside their assigned RBAC roles.
0
Comment
Question by:nashiooka
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 1500 total points
ID: 40626114
If the user is a local administrator on the machine there is really no way around this. When users import the modules or snapins into the session they should only be able to access cmdlets that their account has rights to. So if someone with no Exchange Admin rights when they type in the cmdlet Get-Mailbox it will error back stating that this cmdlet does not exist because they do not have permissions to it.

This happens even after the module / snapin has been imported into the session.

Will.
0
 
LVL 10

Author Comment

by:nashiooka
ID: 40626171
I appreciate your reply.  Loading the local snapin bypasses RBAC.  RBAC is not the same as ACL based permissions that may be on the underlying AD objects, but of course I don't want to test my ACL's by making inappropriate commands visible.  I view that as a violation of least privilege and an unnecessary risk.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
The main intent of this article is to make you aware of ‘Exchange fail to mount’ error, its effects, causes, and solution.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
This video discusses moving either the default database or any database to a new volume.

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question