Over a million developers have joined DZone.

PowerShell Security and Delegation - PKI and PSRemoting

DZone's Guide to

PowerShell Security and Delegation - PKI and PSRemoting

· DevOps Zone
Free Resource

In response to accelerated release cycles, a new set of testing capabilities is now required to deliver quality at speed. This is why there is a shake-up in the testing tools landscape—and a new leader has emerged in the just released Gartner Magic Quadrant for Software Test Automation.

Yesterday, I had a great time with the CincyPowerShell user group discussing security and delegation in PowerShell with PKI, code-signing certificates, PowerShell Remoting and PowerShell Web Access (new with Windows Server 2012! ).

In this article, I'm posting links to the PowerShell snippets we walked through for each topic ...

PowerShell and PKI

Lots of organizations are looking for ways to better control the secure execution of PowerShell scripts by permitting only scripts created by trusted script authors to run.  If your organization has a Public Key Infrastructure ( PKI ) implemented, you can leverage it for enrolling code-signing certificates and sign your PowerShell scripts.  But, what if you don't currently have a PKI already implemented?  Well, here's a couple options that you can use to help jumpstart your efforts:

  1. You can use Windows Server 2012 Active Directory Certificate Services to set up a PKI in your environment pretty quickly.  Best practice is to setup a standalone root CA that you then use to sign one or more subordinate enterprise CA's to enroll and sign requested certificates.  Once your subordinate CA(s) are up and running, you can then power off your standalone root CA for safe, secure storage.
    DO IT: Download Windows Server 2012 and work through this Step-by-Step Guide to setup your PKI.
  2. If you don't control Active Directory in your shop, you can still can create your own self-signed CA and code-signing certs using the free makecert tool.  Your AD Admins will then need to help you publish the CA as a Trusted Root certificate and your code-signing certificate as a Trusted Publisher certificate using Group Policy.

Once you've got your certificate strategy in place, you can download the PowerShell snippets below to sign your PowerShell scripts and update your PowerShell execution policy to "All Signed" so that only scripts signed by a Trusted Publisher will execute in your environment.

PowerShell Remoting and PowerShell Web Access

PowerShell Remoting and PowerShell Web Access are certainly cool capabilities for remote, multi-server automation via PowerShell, but we can also use these capabilities with customer PowerShell Session Configurations to securely delegate only specific PowerShell modules and Cmdlets to users ( think Developers and Help Desk engineers ) for just the remote tasks they need to perform. 

How are you securing PowerShell?

Got any tips that you use to secure PowerShell scripts in your environment?  Feel free to share in the comments below!

Recently published 5th annual Software Fail Watch Report identified 606 recorded software fails impacting half of the world’s population (3.7 billion people), $1.7 trillion in assets, and 314 companies. Our advice: Rethink your testing strategies and approach to quality so they’re not finding it in your next release.


Published at DZone with permission of Keith Mayer, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}