Turns out an unprivileged user can be given permissions to create and remove file (and possibly other) shares.

Note that absolutely none of this is authoritative or directly based on relevant documentation. It’s mostly what I found and figured out and guessed and (in some cases) made up. Some of it may be wrong or dangerous or lead to disaster or confusion. I am not taking responsibility here for anything. Read and act on it at your own peril!

The first thing to do is check the system’s default permissions for shares.

PS C:\> whoami
champignac\administrator
PS C:\> md TestShare

    Directory: C:\

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         2/25/2025   9:05 AM                TestShare

PS C:\> New-SmbShare -Name TestShare -Path C:\TestShare\

Name      ScopeName Path         Description
----      --------- ----         -----------
TestShare *         C:\TestShare

PS C:\> Get-SmbShare TestShare|Format-List *

PresetPathAcl          : System.Security.AccessControl.DirectorySecurity
ShareState             : Online
AvailabilityType       : NonClustered
ShareType              : FileSystemDirectory
FolderEnumerationMode  : Unrestricted
CachingMode            : Manual
LeasingMode            : Full
QoSFlowScope           : File
SmbInstance            : Default
CATimeout              : 0
CompressData           : False
ConcurrentUserLimit    : 0
ContinuouslyAvailable  : False
CurrentUsers           : 0
Description            :
DirectoryHandleLeasing : True
EncryptData            : False
IdentityRemoting       : False
Infrastructure         : False
IsolatedTransport      : False
Name                   : TestShare
Path                   : C:\TestShare
QoSPolicyId            : {00000000-0000-0000-0000-000000000000}
Scoped                 : False
ScopeName              : *
SecurityDescriptor     : O:SYG:SYD:(A;;0x1200a9;;;WD)
ShadowCopy             : False
Special                : False
Temporary              : False
Volume                 : \\?\Volume{079e08b7-0000-0000-0000-500600000000}\
PSComputerName         :
CimClass               : ROOT/Microsoft/Windows/SMB:MSFT_SmbShare
CimInstanceProperties  : {AvailabilityType, CachingMode, CATimeout, CompressData...}
CimSystemProperties    : Microsoft.Management.Infrastructure.CimSystemProperties

PS C:\>

You can see that, tragically, the share’s default permissions are “A;;0x1200a9;;;WD”.

The more sensible net share command tells us what this means.

PS C:\> net share TestShare
Share name        TestShare
Path              C:\TestShare
Remark
Maximum users     No limit
Users
Caching           Manual caching of documents
Permission        Everyone, READ

The command completed successfully.

PS C:\>

But looking at the Access Control Entry “A;;0x1200a9;;;WD” is sufficient:

  1. It is an “Allow” entry (the “A” at the beginning).
  2. It has an accessmask of 1200a9 in hex.
  3. It is for a Security Principal “WD”, who turns out to be “Everyone”. (Maybe “WD” stands for “World”?)
PS C:\> & 'C:\Program Files\ABTokenTools\LookupAccountSid.exe' WD
Everyone
PS C:\>

The access mask does not tell us a lot because nobody knows what those mean. But one thing is easy. Since the first bit (the left-most bit) enables “read”, any odd access mask allows (at least) reading.

I have it on good authority that 0x1200a9 is odd, hence this access mask allows (at least) reading. I have no idea what the other bits mean and it doesn’t matter.

Note that access to actual files is further regulated by file system permissions.

Also note that this means that once an unprivileged user can manage those shares, an unprivileged user will have the ability to make the computer’s files available to essentially random people (as long as file system permissions allow it, of course).

To allow unprivileged users to manage file shares, create a Just-Enough-Admin configuration.

PS C:\Program Files\WindowsPowerShell\Modules\JEA> New-PSSessionConfigurationFile SmbShare.pssc

And create a group JEA_SmbShare.

PS C:\Program Files\WindowsPowerShell\Modules\JEA> New-LocalGroup JEA_SmbShare

Make three changes to the SmbShare.pssc files created:

  1. Set SessionType to ‘RestrictedRemoteServer’.
# Session type defaults to apply for this session configuration. Can be 'RestrictedRemoteServer' (recommended), 'Empty', or 'Default'
SessionType = 'RestrictedRemoteServer'
  1. Set RunAsVirtualAccount to $true.
# Whether to run this session configuration as the machine's (virtual) administrator account
RunAsVirtualAccount = $true
  1. Configure RoleDefinitions to use SmbShare.psrc.
RoleDefinitions = @{'JEA_SmbShare' = @{RoleCapabilities='SmbShare'}} 

Then create a role capability file for this thing.

PS C:\Program Files\WindowsPowerShell\Modules\JEA\RoleCapabilities> New-PSRoleCapabilityFile SmbShare.psrc

Add the following entries to the file, at the appropriate places per the hints given in the template file.

ModulesToImport='SmbShare'
VisibleCmdLets='*-Smb*'

Yes, this grants ultimate share power to our JEA_SmbShare group. You can limit these powers if you like by limiting what parameters can be called etc.. I will write about that in the future.

We are not adding the net.exe command to the configuration because it allows far more than share management.

Register the configuration:

PS C:\Program Files\WindowsPowerShell\Modules\JEA> Register-PSSessionConfiguration SmbShare -Path .\SmbShare.pssc

Now add a user to the JEA_SmbShare group and let him enjoy his powers.

PS C:\> Add-LocalGroupMember -Group JEA_SmbShare -Member benoit
PS C:\> Get-LocalGroupMember JEA_SmbShare

ObjectClass Name              PrincipalSource
----------- ----              ---------------
User        CHAMPIGNAC\benoit Local

PS C:\>

User benoit can now create and destroy shares at will. But he should create shares with a different than default security descriptor (using the -FullAccess parameter).

PS C:\> whoami
champignac\benoit
PS C:\> Get-ChildItem 'C:\Program Files\WindowsPowerShell\Modules\JEA\' -Filter *.pssc|ForEach-Object{Import-PSSession (New-PSSession -ConfigurationName $_.BaseName) -AllowClobber}                                                                                                                                                                                                                                                          ModuleType Version    Name                                ExportedCommands                                                                                                                                             ---------- -------    ----                                ----------------                                                                                                                                             Script     1.0        tmp_ahjvt5rd.1el                    {Add-WebConfiguration, Add-WebConfigurationLock, Add-WebConfigurationProperty, Backup-WebConfiguration...}                                                   Script     1.0        tmp_qecztqlr.ihh                    {Block-SmbClientAccessToServer, Block-SmbShareAccess, Clear-Host, Close-SmbOpenFile...}                                                                      Script     1.0        tmp_qhqgomtt.jo5                    {Clear-Host, Exit-PSSession, Get-Command, Get-WindowsFeature...}


PS C:\> md BenoitShare


    Directory: C:\


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         2/25/2025  10:06 AM                BenoitShare


PS C:\> New-SmbShare -Path C:\BenoitShare\ -Name BenoitShare -FullAccess "Authenticated Users"

Name        ScopeName Path           Description
----        --------- ----           -----------
BenoitShare *         C:\BenoitShare


PS C:\> Get-SmbShare

Name        ScopeName Path           Description
----        --------- ----           -----------
ADMIN$      *         C:\WINDOWS     Remote Admin
BenoitShare *         C:\BenoitShare
C$          *         C:\            Default share
IPC$        *                        Remote IPC
TestShare   *         C:\TestShare


PS C:\> (Get-SmbShare BenoitShare).SecurityDescriptor
O:SYG:SYD:(A;;FA;;;AU)
PS C:\> Remove-SmbShare BenoitShare

Confirm
Are you sure you want to perform this action?
Performing operation 'Remove-Share' on Target '*,BenoitShare'.
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"):
PS C:\>

Of course, having access to configuring (and removing) all shares user benoit now has tremendous ability to destroy things. But it pales with user benoit’s ability to destroy things if he were a member of the Administrators group and, of course, the JEA configuration could be configured more stringently, perhaps with a few allowed functions and no direct access to all cmdlets. I would personally add a second role cabaility file with such functions and a second group JEA_SmbShare_Functions for those users we don’t trust as much as user benoit.

Shares.pssc
Shares.psrc

Next: Scheduled Tasks