2023-09-15 14:33:51 +00:00
|
|
|
# Function to check if the mods directory is secured.
|
|
|
|
# Security: Mods directory must be protected (Users could create scripts of their own - then they'll run in System Context)!
|
|
|
|
# Check if Local Users have write rights in Mods directory or not (and take action if necessary):
|
2023-02-06 06:47:06 +00:00
|
|
|
|
2023-09-15 14:38:54 +00:00
|
|
|
function Invoke-ModsProtect
|
2023-09-15 14:33:51 +00:00
|
|
|
{
|
|
|
|
[CmdletBinding()]
|
|
|
|
param
|
|
|
|
(
|
2023-09-15 14:38:54 +00:00
|
|
|
[string]
|
|
|
|
$ModsPath
|
2023-09-15 14:33:51 +00:00
|
|
|
)
|
2023-09-15 14:38:54 +00:00
|
|
|
|
|
|
|
try
|
2023-09-15 14:33:51 +00:00
|
|
|
{
|
|
|
|
$directory = (Get-Item -Path $ModsPath -ErrorAction SilentlyContinue)
|
|
|
|
$acl = (Get-Acl -Path $directory.FullName)
|
|
|
|
# Local Users - S-1-5-32-545
|
|
|
|
$userSID = (New-Object -TypeName System.Security.Principal.SecurityIdentifier -ArgumentList ('S-1-5-32-545'))
|
|
|
|
# Translate SID to Locale Name
|
|
|
|
$ntAccount = $userSID.Translate([Security.Principal.NTAccount])
|
|
|
|
$userName = $ntAccount.Value
|
|
|
|
$userRights = [Security.AccessControl.FileSystemRights]'Write'
|
|
|
|
$hasWriteAccess = $False
|
2023-09-15 14:38:54 +00:00
|
|
|
|
|
|
|
foreach ($access in $acl.Access)
|
2023-09-15 14:33:51 +00:00
|
|
|
{
|
2023-09-15 14:38:54 +00:00
|
|
|
if ($access.IdentityReference.Value -eq $userName -and $access.FileSystemRights -eq $userRights)
|
2023-09-15 14:33:51 +00:00
|
|
|
{
|
|
|
|
$hasWriteAccess = $True
|
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
2023-09-15 14:38:54 +00:00
|
|
|
|
|
|
|
if ($hasWriteAccess)
|
2023-09-15 14:33:51 +00:00
|
|
|
{
|
|
|
|
# Disable inheritance
|
|
|
|
$acl.SetAccessRuleProtection($True, $True)
|
2023-09-15 14:38:54 +00:00
|
|
|
|
2023-09-15 14:33:51 +00:00
|
|
|
# Remove any existing rules
|
|
|
|
$acl.Access | ForEach-Object -Process {
|
2023-09-15 14:38:54 +00:00
|
|
|
$acl.RemoveAccessRule($_)
|
2023-09-15 14:33:51 +00:00
|
|
|
}
|
2023-09-15 14:38:54 +00:00
|
|
|
|
2023-09-15 14:33:51 +00:00
|
|
|
# SYSTEM Full - S-1-5-18
|
|
|
|
$userSID = (New-Object -TypeName System.Security.Principal.SecurityIdentifier -ArgumentList ('S-1-5-18'))
|
|
|
|
$rule = (New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList ($userSID, 'FullControl', 'ContainerInherit,ObjectInherit', 'None', 'Allow'))
|
|
|
|
$acl.SetAccessRule($rule)
|
|
|
|
# Save the updated ACL
|
|
|
|
$null = (Set-Acl -Path $directory.FullName -AclObject $acl)
|
2023-09-15 14:38:54 +00:00
|
|
|
|
2023-09-15 14:33:51 +00:00
|
|
|
# Administrators Full - S-1-5-32-544
|
|
|
|
$acl = (Get-Acl -Path $directory.FullName)
|
|
|
|
$userSID = (New-Object -TypeName System.Security.Principal.SecurityIdentifier -ArgumentList ('S-1-5-32-544'))
|
|
|
|
$rule = (New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList ($userSID, 'FullControl', 'ContainerInherit,ObjectInherit', 'None', 'Allow'))
|
|
|
|
$acl.SetAccessRule($rule)
|
|
|
|
$null = (Set-Acl -Path $directory.FullName -AclObject $acl)
|
2023-09-15 14:38:54 +00:00
|
|
|
|
2023-09-15 14:33:51 +00:00
|
|
|
# Local Users ReadAndExecute - S-1-5-32-545 S-1-5-11
|
|
|
|
$acl = (Get-Acl -Path $directory.FullName)
|
|
|
|
$userSID = (New-Object -TypeName System.Security.Principal.SecurityIdentifier -ArgumentList ('S-1-5-32-545'))
|
|
|
|
$rule = (New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList ($userSID, 'ReadAndExecute', 'ContainerInherit,ObjectInherit', 'None', 'Allow'))
|
|
|
|
$acl.SetAccessRule($rule)
|
|
|
|
$null = (Set-Acl -Path $directory.FullName -AclObject $acl)
|
2023-09-15 14:38:54 +00:00
|
|
|
|
2023-09-15 14:33:51 +00:00
|
|
|
# Authenticated Users ReadAndExecute - S-1-5-11
|
|
|
|
$acl = (Get-Acl -Path $directory.FullName)
|
|
|
|
$userSID = (New-Object -TypeName System.Security.Principal.SecurityIdentifier -ArgumentList ('S-1-5-11'))
|
|
|
|
$rule = (New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList ($userSID, 'ReadAndExecute', 'ContainerInherit,ObjectInherit', 'None', 'Allow'))
|
|
|
|
$acl.SetAccessRule($rule)
|
|
|
|
$null = (Set-Acl -Path $directory.FullName -AclObject $acl)
|
2023-09-15 14:38:54 +00:00
|
|
|
|
2023-09-15 14:33:51 +00:00
|
|
|
return $True
|
|
|
|
}
|
2023-09-15 14:38:54 +00:00
|
|
|
|
2023-09-15 14:33:51 +00:00
|
|
|
return $False
|
|
|
|
}
|
2023-09-15 14:38:54 +00:00
|
|
|
catch
|
2023-09-15 14:33:51 +00:00
|
|
|
{
|
|
|
|
return 'Error'
|
|
|
|
}
|
|
|
|
}
|