Solved

Block a Specific Snapin?

Posted on 2015-02-23
2
49 Views
Last Modified: 2015-02-27
Is anyone familiar with a way to block a specific PowerShell Snapin from being loaded?  Basically I have an Exchange 2010 script that won't run properly through an imported implicit remote session.  It will work fine if the admin tools are installed and we use the typical Connect-ExchangeServer to import the cmdlets.  The problem is this also gives the user access to Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010.  Loading the commands in this way bypasses RBAC and thus gives the operator access to commands outside their assigned RBAC roles.
0
Comment
Question by:nashiooka
2 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 500 total points
ID: 40626114
If the user is a local administrator on the machine there is really no way around this. When users import the modules or snapins into the session they should only be able to access cmdlets that their account has rights to. So if someone with no Exchange Admin rights when they type in the cmdlet Get-Mailbox it will error back stating that this cmdlet does not exist because they do not have permissions to it.

This happens even after the module / snapin has been imported into the session.

Will.
0
 
LVL 10

Author Comment

by:nashiooka
ID: 40626171
I appreciate your reply.  Loading the local snapin bypasses RBAC.  RBAC is not the same as ACL based permissions that may be on the underlying AD objects, but of course I don't want to test my ACL's by making inappropriate commands visible.  I view that as a violation of least privilege and an unnecessary risk.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question