Over a million developers have joined DZone.

PowerShell Security and Delegation - PKI and PSRemoting

· DevOps Zone

Discover how to optimize your DevOps workflows with our cloud-based automated testing infrastructure, brought to you in partnership with Sauce Labs

Yesterday, I had a great time with the CincyPowerShell user group discussing security and delegation in PowerShell with PKI, code-signing certificates, PowerShell Remoting and PowerShell Web Access (new with Windows Server 2012! ).

In this article, I'm posting links to the PowerShell snippets we walked through for each topic ...

PowerShell and PKI

Lots of organizations are looking for ways to better control the secure execution of PowerShell scripts by permitting only scripts created by trusted script authors to run.  If your organization has a Public Key Infrastructure ( PKI ) implemented, you can leverage it for enrolling code-signing certificates and sign your PowerShell scripts.  But, what if you don't currently have a PKI already implemented?  Well, here's a couple options that you can use to help jumpstart your efforts:

  1. You can use Windows Server 2012 Active Directory Certificate Services to set up a PKI in your environment pretty quickly.  Best practice is to setup a standalone root CA that you then use to sign one or more subordinate enterprise CA's to enroll and sign requested certificates.  Once your subordinate CA(s) are up and running, you can then power off your standalone root CA for safe, secure storage.
    DO IT: Download Windows Server 2012 and work through this Step-by-Step Guide to setup your PKI.
  2. If you don't control Active Directory in your shop, you can still can create your own self-signed CA and code-signing certs using the free makecert tool.  Your AD Admins will then need to help you publish the CA as a Trusted Root certificate and your code-signing certificate as a Trusted Publisher certificate using Group Policy.

Once you've got your certificate strategy in place, you can download the PowerShell snippets below to sign your PowerShell scripts and update your PowerShell execution policy to "All Signed" so that only scripts signed by a Trusted Publisher will execute in your environment.

PowerShell Remoting and PowerShell Web Access

PowerShell Remoting and PowerShell Web Access are certainly cool capabilities for remote, multi-server automation via PowerShell, but we can also use these capabilities with customer PowerShell Session Configurations to securely delegate only specific PowerShell modules and Cmdlets to users ( think Developers and Help Desk engineers ) for just the remote tasks they need to perform. 

How are you securing PowerShell?

Got any tips that you use to secure PowerShell scripts in your environment?  Feel free to share in the comments below!

Download “The DevOps Journey - From Waterfall to Continuous Delivery” to learn learn about the importance of integrating automated testing into the DevOps workflow, brought to you in partnership with Sauce Labs.


Published at DZone with permission of Keith Mayer, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

The best of DZone straight to your inbox.

Please provide a valid email address.

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}