Using Ansible w/ Windows with strict security

[bigb...@gmail.com]

Our environment is under some pretty strict security requirements and it's causing lots of issues. First, we don't have an active directory set up (all local accounts, I know it's stupid but I'm just the idiot trying to clean it up). Then, we have this LocalAccountTokenFilterPolicy registry setting set to 1 so every time I try to run something I get permission errors as it lowers permissions. 

I am allowed to temporarily disable the LocalAccountTokenFilterPolicy to do what I need to do, but need a mechanism to do that. I'm able to use win_command to do switch it from 1 to 0 but can't switch it from 0 - 1. 

Is there any way to get in with WinRM through ansible then run a command as an elevated user? 

Thanks!

[J Hawkesworth]

I'm guessing that applying the LocalAccountTokenFilterPolicy kicks your ansible connection out before it can respond.

Since you are on 2.2 you should be able to use async, which might let you switch from from 0 - 1

There isn't a way to become another user yet on windows but it is slated for 2.3 - see https://github.com/ansible/ansible/blob/devel/docsite/rst/roadmap/ROADMAP_2_3.rst

Hope this helps,

Jon

[Matt Davis]

I'm actually curious how you got LocalAccountTokenFilterPolicy to cause restriction under WinRM- I've tried many combos of 2008R2/2012R2/2016 under full UAC prompt requirements, domain-joined/not, various users, etc, to no avail- I can't get it to restrict the admin group for a local user in a WinRM session. I'm actually running into UAC issues under the become prototypes (since we're now using interactive logons instead of batch), but I can't get that particular one to break.

[bigb...@gmail.com]

I ended up giving the user explicit access to the registry key and all playbooks begin with flipping the value, doing the work, then flipping it back. We are working on a domain solution so the local accounts won't be an issue one day...

We're using a DoD STIG image for our windows servers which has a number of other security settings. I've added a screen shot of our registry that you maybe able to mimic to get it to break. We're on 2012 for this particular server. Path is: HKLM\Software\MIcrosoft\Windows\CurrentVersion\policies\system. 

If you're using AWS I can probably share an AMI that has the issue with your account.