Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

LogonSessionId account assigned Read access in new certificates?

I have a question that (hopefully) someone can shed some light on. I was writing a Powershell script that would import a certificate to the Local Machine store, and assign the Everyone group Read permissions to the private key's on the certificate.

Now, I do have a working script that does accomplish this, but I've noticed that I have an account called "LogonSessionId_0_some-random-number" assigned Read permissions to the ACL on the private keys as shown in the following image:

LogonSessionID in ACL

At first I thought this was my script maybe doing this, but when I manually import the certificate I get the same result.

Has anyone seen this before or know why this is happening? What exactly is this account and why are permissions being assigned? I've tried to search for some answers on this but have come up short.

Not sure if it helps, but this is the portion of my code that imports the certificate and assigns the permissions:


    $sslCert = gci Cert:\LocalMachine\My | WHERE {$_.Subject -match $getCerts}
    $sslCertPrivKey = $sslCert.PrivateKey
    $privKeyCertFile = Get-Item -path "$ENV:ProgramData\Microsoft\Crypto\RSA\MachineKeys\*"  | WHERE {$_.Name -eq $sslCertPrivKey.CspKeyContainerInfo.UniqueKeyContainerName}
    $privKeyAcl = (Get-Item -Path $privKeyCertFile.FullName).GetAccessControl("Access")
    $permission = "Everyone","Read","Allow"
    $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
    $privKeyAcl.AddAccessRule($accessRule)
    Set-Acl $privKeyCertFile.FullName $privKeyAcl

I'm using Windows 10 Pro.

Any help/insight is greatly appreciated!

like image 608
obs0lete Avatar asked Feb 17 '16 22:02

obs0lete


People also ask

How do I add permissions to a certificate?

Right click on the certificate. Click on Add under Group or usernames section. Add new Users or Groups, then Click OK and Allow appropriate access for newly added Users or Groups.

How do I check private key certificate permissions?

Private key permissions can be managed by right-clicking a cert in the certificate manager > All Tasks and then click "Manage Private Keys...". Windows User Access Control (UAC) prevents unprivileged users from gaining programmatic access to the private key, even if they are a member of the local administrators group.

How do I read a private key in Windows?

u can find the private key under the below location: Locate the "%SystemDrive%\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys" folder. here are several files located in this folder. Each file in this folder corresponds to a key container.


1 Answers

It's because you have different scopes. When you add something at the machine level, by default it gives all users read permissions. Everyone with access to that computer will be able to see the certificate. You don't need to explicitly give users read access for a machine level certificate. It's like when you install some programs they ask "Install for all users?" If you say yes, it installs at the machine level and everyone can use it, otherwise it will install for just you and logging in with a different user means they won't have access.

Comment out the user-specific part of your script to test what I'm saying, you'll notice all users are given read-only and things will work as expected.

like image 75
Mike Avatar answered Sep 18 '22 11:09

Mike