2

We want to use VMSS instances as our Azure Devops Agent pool. The agentpool deploys the TeamServicesAgent Virtual machine extension to the instances deployed. This extension calls the script: https://vstsagenttools.blob.core.windows.net/tools/ElasticPools/Windows/17/enableagent.ps1

In this script the user azdevops is created and added to the Administrators group. We do not find this very secure and we would like to apply a least privilege scenario on this user.

Is there an official way or good alternative to get here? I have created a workaroud where we host this script our self in a storage account and then skip the Add to Administrator part, then give the user SeBatchLogonRight. This works but i would like a more robust way to get there.

Also there seems to be no documentation on the TeamServicesAgent Extension. Which parameters are allowed etc.

Do you have suggestions for me?

Thanks all in advance for thinking with me,

Nathan

Improve this question

1 Answer 1

Reset to default
1

I looked at the script. I'm quite surprised it is adding the user to the administrators group, instead of correctly adding the necessary permissions and log on as a batch right to a standard user - like you have rightly done. It's sloppy, and it's not secure.

I trawled the net and couldn't find anything more robust. As for official, well this script is official. But it looks like some process has broken down here, because a security review should have picked that up...17 times.

I recommend you report this to Microsoft. You can do it here.

https://www.microsoft.com/en-us/msrc

The reason I'm deferring to you is that they have a bounty program. I'm not sure this would qualify for a bounty, but you discovered it, and have probably implemented the solution already in your adapted script. So you deserve the credit, of course.

And so, I guess the answer is...MS need to update that script.

Improve this answer
1
  • Thanks for replying and confirming my observation. I reported the issue, maybe they will act on it. For now i will stick with the workaround for lack of anything better. Commented Apr 22, 2024 at 6:11

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.