I used to do privilege isolation on the system of mine. I am having different standard user accounts which can be used to complete different tasks. I was not able to access web browser by using one of the account. In fact there was no profile into connection device for all the user account.
If I am working in one of user account and I have saved PowerShell script into user profile. This particular script should be having security stores and restricted standard user account. I using credentials of those accounts which should be used to initiate DNSCrypt for rest of the user accounts. By default AppLocker should block as there will not be any matching of hashes. But it would work because of backdoor in Powershell.
Code:
$username = ""
$password = ""
$credentials = New-Object System.Management.Automation.PSCredential -ArgumentList @($username,(ConvertTo-SecureString -String $password -AsPlainText -Force))
Start-Process DVDMaker -WorkingDirectory "C:\Program Files\DVD Maker" -Credential ($credentials)
Credentials should be stored in file and which should be created into another script. Now consider that credentials are secured.
You are using an user account which is not having an access to internet. However you will be able to point out the other user account by means of PowerShell. So possibly user will be able to make access to Internet and permissions to utilize web browser.
Code:
Start-Process browser -WorkingDirectory "C:\Program Files\browser folder" -Credential ($credentials)
Now you should save script and launch PowerShell and execute following.
Code:
get-content .\script.ps1 | powershell.exe -noprofile –
now you should open web browser by using credential of other users. This particular user account will be able to get an access on Internet as well as download. Since there will not be any desktop privilege isolation, if there is desktop isolation you have to schedule the task.
Bookmarks