PowerShell supports a concept called “execution policies” in order to help deliver a more secure command line administration experience.  Execution policies define the restrictions under which PowerShell loads files for execution and configuration.  The four execution policies are Restricted, AllSigned, RemoteSigned, and Unrestricted.

The Restricted execution policy does not permit any scripts to run. The AllSigned and RemoteSigned execution policies prevent PowerShell from running scripts that do not have a digital signature. This topic explains how to sign scripts for your own use.

You can sign a PowerShell script using a special type of certificate – Code Signing. This certificate can be obtained from an external commercial certification authority (AC), an internal enterprise CA or you can use a self-signed certificate.

  1. Connect to Your Domain Controller as Domain admin
  2.  Install ADCS role (recommend use dedicated server for ADCS)
  3.  ADCS role – Certification Authority (keep all default)
  4.  Configure Active Directory CA (default – enterprise CA)
  5. Open the Certificate Templates Microsoft Management Console (MMC) snap-in
  6. Code Signing -> Duplicate Template
  7. General -> increase valid period , General -> change display name and request and handling -> allow private key to be exported
  8. Open the Certification Authority Microsoft Management Console (MMC) snap-in
  9.  Go to Certificate Templates and new -> certificate template to issue
  10. Choose your certificate you did
  11. Open the Certificates Microsoft Management Console (MMC) snap-in
  12. [Certificates – current user] -> personal -> All Tasks -> Request New Certificate
  13. Choose Code Signing (your certificate you did) -> enroll certificate

Distribute Certificates to Client Computers by Using Group Policy – You can use the following procedure to push down the appropriate Secure Sockets Layer (SSL) certificates (or equivalent certificates that chain to a trusted root) for account federation servers, resource federation servers, and Web servers to each client computer in the account partner forest by using Group Policy.

  1. Connect to Your Domain Controller as Domain admin
  2. Open the Certificates Microsoft Management Console (MMC) snap-in
  3. [Certificates – current user] -> personal -> Certificates
  4. click on Certificate -> Details -> Copy to file…
  5. export *.cer file (public key)
  6. Open Group Policy
  7. Create a new GPO
  8. Right-click the GPO, and then click Edit
  9. Open Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies, right-click Trusted Root Certification Authorities, and then click Import.
  10. On the File to Import page, type the path to the appropriate certificate files (for example, \\dc1\c$\signself.cer)

Move PFX file to machine you want sign script with

  1. Connect to Your Domain Controller as Domain admin
  2. Open the Certificates Microsoft Management Console (MMC) snap-in
  3. [Certificates – current user] -> personal -> Certificates
  4. click on Certificate -> Details -> Copy to file…
  5. export *.pfx file (private key)
  6. Move PFX file to machine you want sign script and import pfx file
  7. To test if the import work run this command in PowerShell dir Cert:\CurrentUser\My -CodeSigningCert

Sign PowerShell script with the certificate

  1. Open Powershell
  2. $cert = @(Get-ChildItem cert:\CurrentUser\My -codesigning)[0]
  3. Set-AuthenticodeSignature C:\scripts\ScriptYouWantSign.ps1 $cert

 

On

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Post