PowerShell is an extremely powerful tool that can do incredible things in IT Infrastructure automation. It can also be misused for malicious purposes, which could lead to real damage to our environment. PowerShell security helps to minimize such risks, mainly through code signing and execution policy.
PowerShell’s default configuration is configured to prevent PowerShell scripts from being run by double-clicking. This is to protect your data. Scripts must be digitally signed by a certificate that is trusted on the client’s computer. Web browser-downloaded scripts are blocked by default by a mark in their meta data — the script will always run within the context of the user.
Here are some ways to make your PowerShell environment more secure and allow you to rest a little easier.
Are you new to PowerShell Our Windows 10 Training Courses will teach you everything about PowerShell and much more.
Learn how to become a security expert with SPOTO’s Cybersecurity Training
Start trainingWhy implement PowerShell Secured scripts
PowerShell Secured Scripts can be a feature you don’t use until you actually need it. Unsigned scripts are a common scenario in small organizations where IT infrastructure management is delegated to a few employees. It is important to know who is doing what.
It can be difficult to control who is running which systems and what system in an enterprise environment where the management of such infrastructure will be delegated across different teams. It can be even more difficult to ensure that the right people are running the correct scripts.
This opens up to potential issues like command hijack, control of execution, identity and integrity, and command hijack.
Execution control is a term that refers to the order in which a program runs statements. It refers to the order in which a program runs scripts. PowerShell has four types: AllSigned (Restricted), RemoteSigned (Restricted), and Unrestricted.
Restricted refers to the most restrictive policy. It prohibits any type of script from being run — remote, local, or downloaded.
AllSigned requires that all scripts be digitally signed using certificates. Otherwise, the system will not allow them to run.
RemoteSigned allows remote UNCs and downloaded scripts only to run if they have been digitally signed. Local scripts can still be run.
Most companies will have unrestricted access, especially small ones that only one system administrator needs to implement a script execution strategy. All scripts are executed regardless of whether they have been digitally signed.
In order to run PowerShell scripts, code signing, identity, or integrity, are all subsets of certificate usage. We can use certificates to authenticate scripts to distinguish which scripts were developed, tested, and run by specific individuals and which scripts were downloaded from the internet. This allows us to determine which scripts are more privileged or less trusted.
To give an example, users can search for PowerShell scripts that automate Microsoft Office tasks or other Windows Client OS components. They don’t know how to make sure that the script isn’t malicious, doesn’t contain bad code, and does the job it was intended to do.
We can ensure that 99 percent of scripts in an enterprise are legitimate and not malicious by requiring them to run only signed scripts.
How to Implement Security
We have two options: either we can use ADCS or purchase a code signing certificate from a certification agency like VeriSign or GoDaddy.
If we use ADCS (Active Directory Certificate Services), then we will need to add code-signing templates and allow only certain users to request them. Once the authorization has been granted,