Exploring the Unseen:

Powershell Signing

In the realm of Windows domain security, ensuring the execution of only signed PowerShell scripts is a crucial aspect of maintaining a robust defense against unauthorized code. With the proliferation of scripts either written in-house or generated by AI tools, it’s increasingly important to have a mechanism that verifies the authenticity and integrity of these scripts. Signing your PowerShell scripts, and configuring a Group Policy to allow only signed scripts to run, plays a vital role in safeguarding your IT environment. In this step-by-step guide, we will walk through the process of creating a suitable certificate, signing a PowerShell script, verifying its signature, and setting up a Group Policy Object (GPO) to enforce the execution of only signed scripts across all clients and servers.

Generating a Suitable Certificate

Open PowerShell with administrative privileges and run:

$cert = New-SelfSignedCertificate -Subject "CN=powershell.signing" `
    -Type CodeSigningCert `
    -KeyUsage DigitalSignature `
    -KeyAlgorithm RSA `
    -HashAlgorithm SHA256 `
    -KeyLength 4096 `
    -CertStoreLocation "Cert:\CurrentUser\My" `
    -NotAfter (Get-Date).AddYears(30)

Signing a PowerShell Script

Find and load the certificate you just created to a variable:

$cert = Get-ChildItem -Path cert:\CurrentUser\My\ | Where-Object { $_.Subject -like "*powershell.signing*" }

Signing the Script

Sign your PowerShell script with the command:

Set-AuthenticodeSignature -FilePath "C:\temp\testScript.ps1" -Certificate $cert

Verifying the Signature

Use Get-AuthenticodeSignature to verify the script’s signature:

Get-AuthenticodeSignature -FilePath "C:\temp\testScript.ps1"

Creating a GPO for Only Allowing Signed Scripts

Creating and Editing a GPO

• Navigate to the appropriate OU and create a new GPO.
• Right-click the new GPO and select “Edit.”

Configuring Script Execution Policy

• Navigate to “User Configuration” > “Administrative Templates” > “Windows Components” > “Windows PowerShell.”
• Enable “Turn on Script Execution” and set the execution policy to “Allow only signed scripts.”

Importing the Certificate into ‘Trusted Publishers’

For your Windows domain to fully trust the self-signed certificate used for signing PowerShell scripts, it’s crucial to add the certificate to both the ‘Trusted Publishers’ and the ‘Trusted Root Certification Authorities’ stores in the Group Policy.

In the GPO editor, navigate to “Computer Configuration” > “Policies” > “Windows Settings” > “Security Settings” > “Public Key Policies.”

Importing Certificate into ‘Trusted Publishers’

1. Right-click on “Trusted Publishers.”
2. Select “Import” to open the Certificate Import Wizard.
3. Follow the wizard to import the previously created self-signed certificate.
4. Ensure that the certificate appears in the list of Trusted Publishers.

Importing Certificate into ‘Trusted Root Certification Authorities’

1. Navigate back to “Public Key Policies.”
2. Right-click on “Trusted Root Certification Authorities.”
3. Select “Import” to initiate the Certificate Import Wizard again.
4. Follow the wizard steps to import the same self-signed certificate.
5. Confirm that the certificate is now listed under Trusted Root Certification Authorities.

Conclusion

By following these steps, you can significantly bolster the security of your Windows domain. Ensuring that only signed PowerShell scripts are executed helps mitigate the risk of running unauthorized or malicious code. Remember, maintaining a secure environment is an ongoing process, and regular updates and vigilance are key to success.