Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

SecurityOptions - Could not infer CimType from the provided .NET object #126

Closed
thijsvanbloemendaal opened this issue Jul 25, 2019 · 1 comment · Fixed by #142
Closed

SecurityOptions - Could not infer CimType from the provided .NET object #126

thijsvanbloemendaal opened this issue Jul 25, 2019 · 1 comment · Fixed by #142

Comments

@thijsvanbloemendaal
Copy link

Hi,

I'm running into issues with a baseline in windows 2019.
I receive the following error on multiple securityOptions:

Could not infer CimType from the provided .NET object.
    + CategoryInfo          : InvalidOperation: (Microsoft.Manag...InstanceCommand:) [], CimException
    + FullyQualifiedErrorId : New-CimInstance,Microsoft.Management.Infrastructure.CimCmdlets.NewCimInstanceCommand
    + PSComputerName        : localhost
 
The PowerShell DSC resource '[SecurityOption]SecuritySetting(INF): EnableGuestAccount' with SourceInfo ************** threw one or more non-terminating errors while running the Test-TargetResource functionality. These errors ar
e logged to the ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel for more details.
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : NonTerminatingErrorFromProvider
    + PSComputerName        : localhost

Does anyone know how to resolve this?

Regards,
Thijs
@hariscodes
Copy link

hariscodes commented Jan 31, 2020
edited
Loading

Hey, we actually found a fix for this. We have forked this repository and my colleague will be pushing the fix up.

In short, there's a switch call three functions deep which doesn't cover all possibilities of users in a policy. The Local Security Policy associated with the problematic call is "Network Access: Restrict Clients allowed to make remote calls to SAM". If you look at that policy in secedit, you'll see a weird, seemingly incomprehensible series of parentheticals that look something like this:

(A;;RC;;;SY)(A;;RC;;;DA)

This is an esoteric, legacy language called SDDL, and the parentheticals refer to permission sets for local/domain user groups. At the end of each of these is an identifier that is used to identify the group (because the SID was too verbose for the byte constraints that they were working in when this language was created). This is converted to a SID, which is then converted to a friendly name that is used to construct an object using New-CimInstance. Because the only one noted in the switch statement is "BA" (i.e. Builtin\Administrators), it breaks.

We added support for all missing ones, including SY (NT AUTHORITY\SYSTEM) and DA (DOMAIN\Domain Administrators).

Cheers!

@ccunning ccunning mentioned this issue Feb 3, 2020
Merged
9 tasks
johlju pushed a commit that referenced this issue May 4, 2020
@ccunning
Issue 126 add cim identity options (#142)
8c318e4 
- Changes to SecurityPolicyDsc:
  - Added support for more SDDL SID constants (issue #126)
    - Added functions to convert identity to and from SDDL SID constants
    - Changed Format-RestrictedRemoteSAM to use new function to create strings with additional SDDL SID constants
    - Changed ConvertTo-CimRestrictedRemoteSam to use new function to accept more possible SDDL SID constants
    - Changed ConvertTo-CimRestrictedRemoteSam to skip CimInstance creation if no valid Identity was found
X-Guardian pushed a commit that referenced this issue May 13, 2020
@ccunning @X-Guardian
Issue 126 add cim identity options (#142)
6ff6dc2 
- Changes to SecurityPolicyDsc:
  - Added support for more SDDL SID constants (issue #126)
    - Added functions to convert identity to and from SDDL SID constants
    - Changed Format-RestrictedRemoteSAM to use new function to create strings with additional SDDL SID constants
    - Changed ConvertTo-CimRestrictedRemoteSam to use new function to accept more possible SDDL SID constants
    - Changed ConvertTo-CimRestrictedRemoteSam to skip CimInstance creation if no valid Identity was found
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Issue 126 add cim identity options WidePoint-Corp/SecurityPolicyDsc
2 participants
@hariscodes @thijsvanbloemendaal