Yesterday, I had a great time with the CincyPowerShell user group discussing security and delegation in PowerShell with PKI, code-signing certificates, PowerShell Remoting and PowerShell Web Access ( new with Windows Server 2012! ).
In this article, I'm posting links to the PowerShell snippets we walked through for each topic ...
Lots of organizations are looking for ways to better control the secure execution of PowerShell scripts by permitting only scripts created by trusted script authors to run. If your organization has a Public Key Infrastructure ( PKI ) implemented, you can leverage it for enrolling code-signing certificates and sign your PowerShell scripts. But, what if you don't currently have a PKI already implemented? Well, here's a couple options that you can use to help jumpstart your efforts:
Once you've got your certificate strategy in place, you can download the PowerShell snippets below to sign your PowerShell scripts and update your PowerShell execution policy to "All Signed" so that only scripts signed by a Trusted Publisher will execute in your environment.
PowerShell Remoting and PowerShell Web Access are certainly cool capabilities for remote, multi-server automation via PowerShell, but we can also use these capabilities with customer PowerShell Session Configurations to securely delegate only specific PowerShell modules and Cmdlets to users ( think Developers and Help Desk engineers ) for just the remote tasks they need to perform.
Got any tips that you use to secure PowerShell scripts in your environment? Feel free to share in the comments below!
Be sure to check out these additional resources:
Keith Mayer is a Senior Technical Architect at Microsoft, focused on helping ISV partners leverage the Azure cloud platform. Keith has over 20 years of experience as a technical leader of complex IT projects, in diverse roles, such as Network Engineer, IT Manager, Technical Instructor and Consultant. He has consulted and trained thousands of customers and partners worldwide on design of enterprise technology solutions.
Keith is currently certified on several Microsoft technologies, including Azure, Private Cloud, System Center, Hyper-V, Windows, Windows Server, SharePoint, SQL Server and Exchange. He also holds other industry certifications from VMware, IBM, Cisco, Citrix, HP, CheckPoint, CompTIA and Interwoven.
You can contact Keith online at http://aka.ms/AskKeith.