In the realm of Windows domain security, ensuring the execution of only signed PowerShell scripts is a crucial aspect of maintaining a robust defense against unauthorized code. With the proliferation of scripts either written in-house or generated by AI tools, it’s increasingly important to have a mechanism that verifies the authenticity and integrity of these scripts. Signing your PowerShell scripts, and configuring a Group Policy to allow only signed scripts to run, plays a vital role in safeguarding your IT environment. In this step-by-step guide, we will walk through the process of creating a suitable certificate, signing a PowerShell script, verifying its signature, and setting up a Group Policy Object (GPO) to enforce the execution of only signed scripts across all clients and servers.
Table of Contents
Open PowerShell with administrative privileges and run:
$cert = New-SelfSignedCertificate -Subject "CN=powershell.signing" ` -Type CodeSigningCert ` -KeyUsage DigitalSignature ` -KeyAlgorithm RSA ` -HashAlgorithm SHA256 ` -KeyLength 4096 ` -CertStoreLocation "Cert:\CurrentUser\My" ` -NotAfter (Get-Date).AddYears(30)
Find and load the certificate you just created to a variable:
$cert = Get-ChildItem -Path cert:\CurrentUser\My\ | Where-Object { $_.Subject -like "*powershell.signing*" }
Sign your PowerShell script with the command:
Set-AuthenticodeSignature -FilePath "C:\temp\testScript.ps1" -Certificate $cert
Use Get-AuthenticodeSignature
to verify the script’s signature:
Get-AuthenticodeSignature -FilePath "C:\temp\testScript.ps1"
For your Windows domain to fully trust the self-signed certificate used for signing PowerShell scripts, it’s crucial to add the certificate to both the ‘Trusted Publishers’ and the ‘Trusted Root Certification Authorities’ stores in the Group Policy.
In the GPO editor, navigate to “Computer Configuration” > “Policies” > “Windows Settings” > “Security Settings” > “Public Key Policies.”
Importing Certificate into ‘Trusted Publishers’
Importing Certificate into ‘Trusted Root Certification Authorities’
Conclusion
By following these steps, you can significantly bolster the security of your Windows domain. Ensuring that only signed PowerShell scripts are executed helps mitigate the risk of running unauthorized or malicious code. Remember, maintaining a secure environment is an ongoing process, and regular updates and vigilance are key to success.
No Comments on Powershell Signing