- Más nuevo
- Más votos
- Más comentarios
Hey Ian, thanks for the question. The setup script is called within the SYSTEM context so there should not be a permission issue. One possible configuration that could look like a permission issue is if you do not change the execution policy for the startup script. The execution policy is set on the App block in the 'Setup executable arguments' parameter. An example App block would be the following:
Setup script executable
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
Setup executable arguments
-ExecutionPolicy Bypass -file C:\AppStream\AppBlocks\APPBLOCKName\mountScript.ps1
Once the App block can successfully mount the VHD, your Application settings will be able to open the application within the VHD.
For the security issue, keep in mind that everything a user does within an Elastic fleets session is operating in the context of the PhotonUser. This user account does not have right to do anything intrusive, therefore when you open task manager, PowerShell, or anything else, you will not be able to perform intrusive actions on the machine. If a use case requires things like task manager to be disabled, you could try adding the commands to disable it within the startup script since SYSTEM will have the rights to change the setting/reg key.
Contenido relevante
- ¿Cómo puedo transferir variables de mi entorno de Elastic Beanstalk a instancias de Linux y Windows?OFICIAL DE AWSActualizada hace 2 años
- OFICIAL DE AWSActualizada hace un año
- OFICIAL DE AWSActualizada hace 3 años
- OFICIAL DE AWSActualizada hace 3 años
Thanks for that - the parameter -ExecutionPolicy solved my problems - it would be worth adding this to the documentation as an example execution policy. Also, I followed your suggestion for disabling Task Manager - I added:
param ($DebugMode = 'N')
if ($DebugMode -ne 'Y') { New-ItemProperty -Name DisableTaskMgr -PropertyType DWord -Value 1 -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system }
to the startup script which mounts the VHD. This way I can still allow task manager to run when I am debugging the application using a startup script parameter in the AppBlock definition.
I did find another issue with the S3 bucket policy. When I followed the instructions related to the security warning in the policy editor - ie to add a condition to check aws:SourceAccount matches the current account - then the S3 objects are not accessible. However, without this condition it all works okay.