收回AppContainers中mail发送流量到本地计算机权限
题记
前情提要见Win10自带邮件添加Gmail。
觉得不能管杀不管埋,要能收回app containers 放给mail的使用权限才比较安全。
申明:本人 = (非计算机专业+本科生+菜鸟)X 1,有不对的还望海涵,更希望不吝赐教~
先看总结:
CheckNetIsolation.exe LoopbackExempt -d -p=<sid>
其中< sid >填写上一篇中的两个sid。
感谢:
- https://zhuanlan.zhihu.com/p/29989157
- https://stackoverflow.com/questions/33259763/uwp-enable-local-network-loopback
- https://www.ibm.com/support/knowledgecenter/en/SSPH29_9.0.3/com.ibm.help.common.infocenter.aps/r_LoopbackForEdge.html
- https://www.processlibrary.com/en/directory/files/checknetisolation/3022/
原理
以下可以不用看,只是我个人的学习探究~~
首先:对App Container有一个rough idea
App Container:
Network Isolation
Isolating the application from network resources beyond those specifically allocated, AppContainer prevents the application from ‘escaping’ its environment and maliciously exploiting network resources. Granular access can be granted for Internet access, Intranet access, and acting as a server.
Process Isolation
Sandboxing the application kernel objects, the AppContainer environment prevents the application from influencing, or being influenced by, other application processes. This prevents a properly contained application from corrupting other processes in the event of an exception.
CheckNetIsolation:
观察了之前的cmdlet:
CheckNetIsolation.exe LoopbackExempt -a -p=S-1-15-2-2551677095-2355568638-4209445997-2436930744-3692183382-387691378-1866284433
用的是
CheckNetIsolation.exe
后面跟了一个命令
LoopbackExempt
exempt 是“豁免”的意思,猜测这个命令和(防火墙?)放行有关。、
以下是官方文献,标题在IoT Core下,虽然本文并不是两个devices之间的连接,但看到了UWP(universal windows platform),心里稍微有点底
Enabling loopback for a UWP application
Before you can enable loopback for an application you will need the package family name. You can find the package family name for an installed application by running iotstartup list. If the iotstartup list entry for the application is IoTCoreDefaultApp_1w720vyc4ccym!App then the package family name is IoTCoreDefaultApp_1w720vyc4ccym
emmm总体来说以上一段对于这篇没有什么关系,接着往下看
To enable loopback for client connections use CheckNetIsolation.exe LoopbackExempt -a -n= < AppContainer or Package Family >.(也就是对应application要找的SID)
CheckNetIsolation.exe will configure loopback for the application and exit. This will enable the application to make outbound connections to a server.Example: CheckNetIsolation.exe LoopbackExempt -a -n=IoTCoreDefaultApp_1w720vyc4ccym
看到参数一致,大概就是我们要找的,继续看下去。
To enable a server application to receive inbound connections use CheckNetIsolation.exe LoopbackExempt -is -n=< AppContainer or Package Family >. Unlike outbound connection configuration, inbound connections require CheckNetIsolation.exe to run continuously while the server application is receiving connections. This requires an OS build newer than 10.0.14393.
Example: CheckNetIsolation.exe LoopbackExempt -is -n=IoTCoreDefaultApp_1w720vyc4ccym
The best way to run CheckNetIsolation.exe automatically on startup is to use schtasks.exe: schtasks /create /tn MyTask /f /sc onstart /ru system /tr “checknetisolation LoopbackExempt -is -n=IoTCoreDefaultApp_1w720vyc4ccym”
这两段可以忽略,没什么关系。
到此为止,大概我们首先得找到程序对应AppContainers使用的SID(security ID)
寻找SID
感谢:https://www.freebuf.com/articles/system/59893.html
之前cmd的操作
CheckNetIsolation.exe LoopbackExempt -a -p=S-1-15-2-2551677095-2355568638-4209445997-2436930744-3692183382-387691378-1866284433
CheckNetIsolation.exe LoopbackExempt -a -p=S-1-15-2-2750798217-1343590035-1234819260-1030354384-3318145141-3720257911-3461195215
参数p:
S-1-15-2-2551677095-2355568638-4209445997-2436930744-3692183382-387691378-1866284433
是进程HxOutlook.exe(windows自带的mail)的group SID
可以在Process Explorer>>HxOutlook.exe>>properties>>sercurity中找到,注册表中的DisplayName 是communicationsapp
emmm…
参数p:
S-1-15-2-2750798217-1343590035-1234819260-1030354384-3318145141-3720257911-3461195215
则是web authhost的配置文件,也许相当于管理员权限?
以上
reference:
https://docs.microsoft.com/en-us/windows/desktop/SecAuthZ/appcontainer-isolation
https://docs.microsoft.com/en-us/windows/iot-core/develop-your-app/loopback
https://docs.microsoft.com/zh-cn/previous-versions/windows/jj856910(v=win.10)