To start your own learning check out Microsoft Virtual Academy:
(http://www.microsoftvirtualacademy.com/training-courses/getting-started-with-powershell-3-0-jump-start?o=3276#?fbid=aVs9FfAH2DJ)
(rewritten based on my notes available here: https://drive.google.com/file/d/0B1fwreWrAZioQ28xTmx0d29HUzQ/edit?usp=sharing)
Module 7: "Getting prepared for automation" consists of 2 video segments totaling ≈ 26 minutes along with a PowerPoint of 12 slides.
Overview
- Execution Policy
- What is it
- How to set it
- Signing scripts
- Create
- Load
- Sign
- Results
- Variables (http://cleeit.blogspot.com/2014/01/MVA-powershell-m07-part2.html)
- Defining
- Prompt for input (Read-Host)
- Output to screen (http://cleeit.blogspot.com/2014/01/MVA-powershell-m07-part3.html)
- Write-Host
- Write-Warning/Error/Debug
The execution policy is your safety net when it comes to PowerShell. The requirement for execution policy to allow a script to run is digitally signed and must be trusted. This is different from VB scripts that just required them to be signed. With all the power that you have in scripts it is the execution policy that prevents malicious attacks. By default it is set to restricted (on 2012R2 believe it is now RemoteSigned). To see what level your execution policy is at run following:
Get-ExecutionPolicy
There are six levels of security: Restricted, Unrestricted, AllSigned, RemoteSigned, Bypass, and Undefined. For more details on levels check out TechNet article: http://technet.microsoft.com/en-us/library/hh849812.aspx. Note of warning avoid using Unrestricted and Bypass. For this module we focus in on RemoteSigned and AllSigned. RemoteSigned is best for users starting out as it will allow an local created scripts to be ran without being signed, whereas AllSigned will require all scripts to be signed.
Execution policy can be set through group policies (GPO) or at individual systems. For GPO instructions check out this TechRepublic article: http://www.techrepublic.com/blog/the-enterprise-cloud/set-the-powershell-execution-policy-via-group-policy/ for individual systems you would execute following code:
Set-ExecutionPolicy “[desired level]”
Eample:
Set-ExecutionPolicy “remotesigned”
Signing Scripts
As you work on creating scripts and securing your network you will at some point move to AllSigned. This will require all scripts to be signed including the ones you create on a local system. The following will walk you through how to sign a script.
Create
To start you first need a self-signed certificate to use for signing.
New-SelfSignCertificatev3 or higher (Version 2 or non Win8/2k12 will use makecert. More details here: http://www.hanselman.com/blog/SigningPowerShellScripts.aspx)
Load
Now we need to find this self-signed certificate and load for future use.
Get-PSDriveDisplays drives available during PowerShell session
Dir Cert:\CurrentUser -Recurse -CodeSigningCert -OutVariable aPulls all certs created for current users with code signing rights and assigns them to variable a
$cert = $a[0]Takes and assigns first certificate from variable a to variable cert
Sign
Now that we have a certificate loaded into $cert we can sign our scripts using the following code:
Set-AuthenticodeSignature -Certificate $cert -FilePath [pathtoscript]
Example:
Set-AuthenticodeSignature -Certificate $cert -FilePath C:\_scripts\hello.ps1
Results
Now that we have a signed script set execution policy to all signed. When you try to run you are prompted with choices:
- Never Run
- Does not run and adds certificate to blocked or untrusted list
- Do not run
- Does not run and does nothing with cert
- Run Once
- Runs but does nothing with cert
- Always Run
- Runs and adds certificate to trusted/allowed list
Part 2: http://cleeit.blogspot.com/2014/01/MVA-powershell-m07-part2.html
Part 3: http://cleeit.blogspot.com/2014/01/MVA-powershell-m07-part3.html
No comments:
Post a Comment