Windows PowerShell 1.0 Security
The objective of this chapter of Windows PowerShell 1.0 Essentials is to provide an overview of the security mechanisms provided with Windows PowerShell, including configuration of script execution policies and the signing of PowerShell scripts through the use of certificates.
Windows PowerShell Script Execution Policy
By default, the execution of scripts in the Windows PowerShell environment is disabled (although it is still possible to execute commands interactively at the PowerShell command prompt). This is controlled by the Windows PowerShell script execution policy setting. Attempting to run a script when in this restricted mode will result in the following error being displayed:
PS C:\Users\Administrator> ./t.ps1 File C:\Users\Administrator\t.ps1 cannot be loaded because the execution of scripts is disabled on this system. Please see "get-help about_signing" for more details. At line:1 char:7 + ./t.ps1 <<<<
In addition to restricted mode, AllSigned, RemoteSigned and Unrestricted modes are also available, details of which are outlined in the following table:
Execution Policy |
Description |
---|---|
Restricted | The default policy on Windows PowerShell, this mode disables the execution of script files. Windows PowerShell may only be used by manually issuing commands at the command prompt. |
AllSigned | Limits execution to scripts which are authenticode signed. When a signed script is executed, PowerShell will prompt for confirmation that the signer of the script can trusted. |
RemoteSigned | Requires that any scripts that have been downloaded from a remote location must be signed before they may are permitted to execute. |
Unrestricted | Allows any script to be executed, regardless of origin or whether it is signed. |
In general, use of the Unrestricted execution policy is not recommended. For most practical purposes, RemoteSigned mode is the recommended choice as it allows locally created scripts to execute but imposes a level of security for scripts downloaded from remote locations.
Identifying and Changing the Current Execution Policy
The current execution policy may be identified using the Get-ExecutionPolicy' cmdlet:
PS C:\Users\Administrator> get-executionpolicy Restricted
In order to change the prevailing execution policy, the Set-ExecutionPolicy cmdlet is used in conjunction with the new execution policy setting. For example, to change to RemoteSigned, the following command should be executed:
PS C:\Users\Administrator> set-executionpolicy remotesigned
Signing Windows PowerShell Scripts
The signing of Windows PowerShell scripts serves two key purposes. The first, through the use of a digital certificate, is to provide a level of confidence that a script has been provided by a trusted author. Secondly, the signing process also ensures that any modifications made to a script after it was signed by the author are detected and execution of the script subsequently blocked.
Windows PowerShell scripts are signed using a signing certificate which are obtained from a certificate authority (CA). Alternatively, a self-signed certificate may be generated by creating a local certificate authority. Whilst a self-signed certificates are useful for running scripts on a local system, they are not trusted by other systems. The certificate may be further protected by using private key encryption. More details on certificates and Public Key Infrastructure may be found in the Techotopia Security+ Essentials online book in the chapter entitled An Overview of Public Key Infrastructures (PKI).
In the remainder of this chapter, we will create a local certificate authority, generate a signing certificate and apply that certificate to a script. Having done that, we will then enable private key encryption on that certificate to prevent it from falling into the wrong hands. If you already have a certificate issued by a certificate authority you may, of course, skip the self-signing sections of this chapter and proceed to the script signing section.
Setting up a Local Certificate Authority
A local certificate authority is created using the makecert.exe tool which is available as part of the Windows Platform SDK which may, in turn, be downloaded from the Microsoft web site. Once installed, the certificate authority is created as follows: