Please feel free to provide feedback or file bugs here.

BUG: GetMetaConfiguration should validate property values against allowed values of MSFT_DSCMetaConfiguration CIM Properties

Once a node meta configuration is enacted, it is easy for an administrator or process (with malicious intent) to modify the MetaConfig.mof file in C:\Windows\System32\Configuration directory. The GetMetaConfiguration method in MSFT_DscMetaConfiguration class does not validate the property values against the allowed values of the CIM properties.

Steps to reproduce this behavior:
- Enact a simple meta configuration and enact it.
- Open the MetaConfig.MOF file in your favorite editor and change the value of ConfigurationMode to some random text.
- Save the file and close it.
- Run Get-DscLocalConfigurationManager.
- You will see the random value assigned to ConfigurationMode in the output although it is not a valid value for the ConfigurationMode property.

You can see this in action at https://pbs.twimg.com/media/DFervKvUIAA-7Na.jpg:large

1 vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    I agree to the terms of service
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Ravikanth ChagantiRavikanth Chaganti shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
    In Queue  ·  Mark GrayAdminMark Gray (Admin, Windows Server) responded  · 

    Ravikanth,

    We have validated this issue and created two bugs for it.

    1. We will validate the MOF when it is passed in as part of our API (i.e. Set-DscLocalConfigurationManager) and error if the values are not valid.
    2. We will write a warning when Get-DscLocalConfigurationManager reads a MOF that has invalid values and at LCM startup. The resultant behavior will behave like it does today where invalid values will be read as the default value by the LCM.

    Please let us know if this meets your expectations.

    Regards,

    MarkG

    1 comment

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      Submitting...

      Feedback and Knowledge Base