Windows Unprivileged - Shares
Turns out an unprivileged user can be given permissions to create and remove file (and possibly other) shares.
Note that absolutely none of this is authoritative or directly based on relevant documentation. It’s mostly what I found and figured out and guessed and (in some cases) made up. Some of it may be wrong or dangerous or lead to disaster or confusion. I am not taking responsibility here for anything. Read and act on it at your own peril!
The first thing to do is check the system’s default permissions for shares.
PS C:\> whoami
champignac\administrator
PS C:\> md TestShare
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/25/2025 9:05 AM TestShare
PS C:\> New-SmbShare -Name TestShare -Path C:\TestShare\
Name ScopeName Path Description
---- --------- ---- -----------
TestShare * C:\TestShare
PS C:\> Get-SmbShare TestShare|Format-List *
PresetPathAcl : System.Security.AccessControl.DirectorySecurity
ShareState : Online
AvailabilityType : NonClustered
ShareType : FileSystemDirectory
FolderEnumerationMode : Unrestricted
CachingMode : Manual
LeasingMode : Full
QoSFlowScope : File
SmbInstance : Default
CATimeout : 0
CompressData : False
ConcurrentUserLimit : 0
ContinuouslyAvailable : False
CurrentUsers : 0
Description :
DirectoryHandleLeasing : True
EncryptData : False
IdentityRemoting : False
Infrastructure : False
IsolatedTransport : False
Name : TestShare
Path : C:\TestShare
QoSPolicyId : {00000000-0000-0000-0000-000000000000}
Scoped : False
ScopeName : *
SecurityDescriptor : O:SYG:SYD:(A;;0x1200a9;;;WD)
ShadowCopy : False
Special : False
Temporary : False
Volume : \\?\Volume{079e08b7-0000-0000-0000-500600000000}\
PSComputerName :
CimClass : ROOT/Microsoft/Windows/SMB:MSFT_SmbShare
CimInstanceProperties : {AvailabilityType, CachingMode, CATimeout, CompressData...}
CimSystemProperties : Microsoft.Management.Infrastructure.CimSystemProperties
PS C:\>
You can see that, tragically, the share’s default permissions are “A;;0x1200a9;;;WD”.
The more sensible net share command tells us what this means.
PS C:\> net share TestShare
Share name TestShare
Path C:\TestShare
Remark
Maximum users No limit
Users
Caching Manual caching of documents
Permission Everyone, READ
The command completed successfully.
PS C:\>
But looking at the Access Control Entry “A;;0x1200a9;;;WD” is sufficient:
- It is an “Allow” entry (the “A” at the beginning).
- It has an accessmask of 1200a9 in hex.
- It is for a Security Principal “WD”, who turns out to be “Everyone”. (Maybe “WD” stands for “World”?)
PS C:\> & 'C:\Program Files\ABTokenTools\LookupAccountSid.exe' WD
Everyone
PS C:\>
The access mask does not tell us a lot because nobody knows what those mean. But one thing is easy. Since the first bit (the left-most bit) enables “read”, any odd access mask allows (at least) reading.
I have it on good authority that 0x1200a9 is odd, hence this access mask allows (at least) reading. I have no idea what the other bits mean and it doesn’t matter.
Note that access to actual files is further regulated by file system permissions.
Also note that this means that once an unprivileged user can manage those shares, an unprivileged user will have the ability to make the computer’s files available to essentially random people (as long as file system permissions allow it, of course).
To allow unprivileged users to manage file shares, create a Just-Enough-Admin configuration.
PS C:\Program Files\WindowsPowerShell\Modules\JEA> New-PSSessionConfigurationFile SmbShare.pssc
And create a group JEA_SmbShare.
PS C:\Program Files\WindowsPowerShell\Modules\JEA> New-LocalGroup JEA_SmbShare
Make three changes to the SmbShare.pssc files created:
- Set SessionType to ‘RestrictedRemoteServer’.
# Session type defaults to apply for this session configuration. Can be 'RestrictedRemoteServer' (recommended), 'Empty', or 'Default'
SessionType = 'RestrictedRemoteServer'
- Set RunAsVirtualAccount to $true.
# Whether to run this session configuration as the machine's (virtual) administrator account
RunAsVirtualAccount = $true
- Configure RoleDefinitions to use SmbShare.psrc.
RoleDefinitions = @{'JEA_SmbShare' = @{RoleCapabilities='SmbShare'}}
Then create a role capability file for this thing.
PS C:\Program Files\WindowsPowerShell\Modules\JEA\RoleCapabilities> New-PSRoleCapabilityFile SmbShare.psrc
Add the following entries to the file, at the appropriate places per the hints given in the template file.
ModulesToImport='SmbShare'
VisibleCmdLets='*-Smb*'
Yes, this grants ultimate share power to our JEA_SmbShare group. You can limit these powers if you like by limiting what parameters can be called etc.. I will write about that in the future.
We are not adding the net.exe command to the configuration because it allows far more than share management.
Register the configuration:
PS C:\Program Files\WindowsPowerShell\Modules\JEA> Register-PSSessionConfiguration SmbShare -Path .\SmbShare.pssc
Now add a user to the JEA_SmbShare group and let him enjoy his powers.
PS C:\> Add-LocalGroupMember -Group JEA_SmbShare -Member benoit
PS C:\> Get-LocalGroupMember JEA_SmbShare
ObjectClass Name PrincipalSource
----------- ---- ---------------
User CHAMPIGNAC\benoit Local
PS C:\>
User benoit can now create and destroy shares at will. But he should create shares with a different than default security descriptor (using the -FullAccess parameter).
PS C:\> whoami
champignac\benoit
PS C:\> Get-ChildItem 'C:\Program Files\WindowsPowerShell\Modules\JEA\' -Filter *.pssc|ForEach-Object{Import-PSSession (New-PSSession -ConfigurationName $_.BaseName) -AllowClobber} ModuleType Version Name ExportedCommands ---------- ------- ---- ---------------- Script 1.0 tmp_ahjvt5rd.1el {Add-WebConfiguration, Add-WebConfigurationLock, Add-WebConfigurationProperty, Backup-WebConfiguration...} Script 1.0 tmp_qecztqlr.ihh {Block-SmbClientAccessToServer, Block-SmbShareAccess, Clear-Host, Close-SmbOpenFile...} Script 1.0 tmp_qhqgomtt.jo5 {Clear-Host, Exit-PSSession, Get-Command, Get-WindowsFeature...}
PS C:\> md BenoitShare
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/25/2025 10:06 AM BenoitShare
PS C:\> New-SmbShare -Path C:\BenoitShare\ -Name BenoitShare -FullAccess "Authenticated Users"
Name ScopeName Path Description
---- --------- ---- -----------
BenoitShare * C:\BenoitShare
PS C:\> Get-SmbShare
Name ScopeName Path Description
---- --------- ---- -----------
ADMIN$ * C:\WINDOWS Remote Admin
BenoitShare * C:\BenoitShare
C$ * C:\ Default share
IPC$ * Remote IPC
TestShare * C:\TestShare
PS C:\> (Get-SmbShare BenoitShare).SecurityDescriptor
O:SYG:SYD:(A;;FA;;;AU)
PS C:\> Remove-SmbShare BenoitShare
Confirm
Are you sure you want to perform this action?
Performing operation 'Remove-Share' on Target '*,BenoitShare'.
[Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"):
PS C:\>
Of course, having access to configuring (and removing) all shares user benoit now has tremendous ability to destroy things. But it pales with user benoit’s ability to destroy things if he were a member of the Administrators group and, of course, the JEA configuration could be configured more stringently, perhaps with a few allowed functions and no direct access to all cmdlets. I would personally add a second role cabaility file with such functions and a second group JEA_SmbShare_Functions for those users we don’t trust as much as user benoit.
Next: Scheduled Tasks