Posts
In this chapter we are going
over Security in windows PowerShell. Here we learn about the default security
settings, how to manage PowerShell with them, and the ramifications of what PowerShell
can do.
First and foremost Don points
out that with the design of PowerShell security was of the utmost importance.
This was well thought out and implemented within PowerShell. In essence if you
cant change a setting with the GUI then PowerShell will not change that. Now as
with anything there are ways around this but its like the ages old adage says,
"It keeps Honest People Honest".
By default PowerShell does
not allow for the execution of script files. That’s right, a scripting
environment that will not allow you to run scripts by default. You can type
standard commands in the console without issue however. This is set by the
Execution Policy. If you try to run a script what you will see is an error
message stating "The execution of scripts is disabled on this system",
and in order to change the Execution Policy you must be an administrator on
that piece of hardware. To change the execution policy PowerShell provides a
cmdlet that is as simple to guess as most of the others, Set-ExecutionPolicy,
and there are five different Execution Policy settings that can be set to.
These are listed below.
Restricted - This disallows the running of any script
on that particular system. Keep in mind this does not mean that you cannot
collect data from that machine with PowerShell
it only means that the scripts cannot physically run in the shell on that
machine.
AllSigned - This setting will allow the running of
scripts that are digitally signed by a Trusted Certification Authority.
RemoteSigned - Setting your PowerShell to this
setting will allow any script that is run locally on the machine but as in the
previous setting any remote script will need to have a certificate from a
Trusted CA to run. This is the Microsoft recommended security level to allow
the most functionality with the least restrictions.
Unrestricted - This setting is actually the least
restrictive and will allow for both local and remote scripts to run on the
host.
Bypass - The last setting is primarily used by
Programmers as a way to integrate PowerShell within their application. It
bypasses the execution policy entirely.
Don mentions two other
security measures that are implemented by default within PowerShell. The first
of which is file association. This is not so much a security restriction in my
mind, as it is just general good practice. The default file association for the
.PS1 file extension, which is a PowerShell script file, opens these files in
Notepad or the default text editor. The second thing PowerShell does is not
allow for scripts to be launched from within the shell simply by typing its
name. For instance if you had a script file named Get_Services.PS1 on the root
of your C: drive you could not run it simply by going to the root of C: and
typing Get_Services.PS1. In order to run scripts from the console you have to
preface the filename or path with .\ (dot Backslash).
That’s the basics and there
is plenty more to cover on this topic including Active Directory group policy
settings, ways to create your own certs or use locally asigned.
No comments:
Post a Comment