Microsoft has launched a strong scripting language that has replaced traditional VB Script that was being used to manage Windows Eco System. PowerShell, which gives the power to enhance your Windows Operating system, especially servers. Automation is creating a vast market place for PowerShell Script as more and more people using PowerShell to manage their Windows Based IT Infrastructure. PowerShell Gives you better manageability of your IT Infrastructure, and it is used to monitor Microsoft's software. Manage Microsoft's Software, and you can deploy the software with the help of the PowerShell script.
Though PowerShell was designed to use internally and more secure shell, there is an option in PowerShell that is used by the software developer to develop their software and sell it to the customers. When you are selling something, you have to make sure that it is trustworthy. PowerShell Scripts, which is used to manage critical IT Infrastructure needs to be trusted and make sure that your Script is not tampered by anyone else. Whether you are creating PowerShell Script to be used Internally or Externally, that needs to be signed so that it runs without any issue. PowerShell has a great feature to protect the system from running malicious scripts. "ExectutionPolicy” is the critical security option available in PowerShell that would not allow any malfunctioned script to run on your system. Though you may need to tweak these settings to manage your IT Infrastructure easier. You can set the “ExectutionPolicy" for a different scope. Following are the scope:
|MachinePolicy||Managed by Group Policy for all users in the computer|
|UserPolicy||Managed by Group Policy for Current user in the computer|
|Process||Only applicable to current PowerShell Session|
|CurrentUser||This affects the only current user in the computer|
|LocalMachine||This affects all users in the computer|
Following are the deferent settings of “ExectutionPolicy" and their impact on the system:
|AllSigned||All Script to be signed by the publisher using third party certificate even Script written locally. This is the best settings in production as it requires all Script to be signed, including configuration files.|
|ByPass||Nothing is restricted; there is no warnings or prompts. This can run malicious Script in the system.|
|Default||Default settings is “Restricted for Client” and “RemoteSigned" for Server. So there is no script run at the client, but Script can run at Server.|
|RemoteSigned||Needs Script to be signed using digital certificates. Does not require Digital certificate if Script developed locally|
|Restricted||Does not allow Script to be executed, and the user can use commands only.|
|Unrestricted||Unsigned Script can run, and there is chances that you might run malicious Script using these settings.|
|Undefined||If this setting is set to default Setting, "Restricted" would be applied.|
To Sign your PowerShell Script, you need a Code Signing Certificate. Once you purchase a Microsoft Authenticode Signing Certificate from here, you can use it to sign your PowerShell Script.
There is a default PowerShell command that you can use to sign your PowerShell Script. The command is Set-AuthenticodeSignature that you can use to Sign PowerShell Script.
Following is the command to Sign PowerShell Script when you stored the certificate is stored in Certificate Store:$cert=Get-ChildItem -Path Cert:\CurrentUser\My -CodeSigningCert Set-AuthenticodeSignature -FilePath PsTestInternet2.ps1 -Certificate $cert -Timestamp http://timestamp.comodoca.com?td=sha256.
Please make sure that your certificate has been install at the correct location. It should be at Cert:\CurrentUser\My location. The PFX or P12 file that you have needs to be installed at the above location. You can learn more about how to Install PFX or P12 in our next article.
Following is the command to Sign PowerShell Script when you have a certificate in PFX or P12 format:$cert = Get-PfxCertificate -FilePath C:\Test\Mysign.pfx Set-AuthenticodeSignature -FilePath ServerProps.ps1 -Certificate $cert -Timestamp http://timestamp.comodoca.com?td=sha256
This would prompt you for PFX or P12 file password that you have when you exported the certificate from the Firefox browser.
Whether you are creating PowerShell script form your internal use or you want to distribute PowerShell script over the internet. You should sign the certificate. It is always a good idea to sign the tools that you developed should be Signed, so the user trust it, and they use it more.