Powershell Day 29

Posted on April 29, 2011 by Vinay

Day 29 Advance Security

As discussed in earlier blog about “Security” Day 7. Continue on that we will discuss here -what all security features Powershell provides. How to use them.

Security is good but securing the things without using is of no use, don’t use the code that will be secure, we write code to use it. as Powershell is like other shell we can execute the code so we need write considering Security.

Powershell developer has consider the security very seriously and has made this product perfrect and tried to make it as secure and powerful as possible. It’s being heavily used because of its seruity.

Powershell is considering against the following Virus/Warms:

>>The Danom virus

>>The MSH/Cibyz worm

There is no exception about security Powershell compaire to any other programming language coding.

  1. Avoid input from user
  2. Avoid descriptive errors
  3. Avoid use of passwords on code.
  4. Avoid provide full access/permission for  executer
  5. Authenticate the user before executing code.
  6. Powershell code is default save as text file –secure.
  7. Consider “Code Injection” while writing code.
  8. Avoid running script from remote location
  9. use proper “Execution Policy” by Powershell
  10. Sign the script and validate it.
  11. Encrypt the code.
  12. Avoid Invoke-Expression
  13. Try to make short code.

For safe side Powershell scripts never be executable, by default it opens with notepad.

Avoid Invoke-expression:

as invoke-expression execute the cmd with “;” concatenating command as well.

Eg.PS :\> $cmd=1+1

PS :\>invoke-expression $cmd

What if

PS :\>invoke-expression $cmd ; “Vinay”

2

Vinay

What if

PS :\>invoke-expression $cmd ; del –force c:\”

Bhoom…. That’s why avoid use of invoke-expression this can be used in Code Injection.

PATH & TEXTPATH:

Make a note of environmental variable PATH & TEXTPATH, as this paths are used to executables.

Chose right execution policy: we already discussed about execution policy on day 7. Make sure to choose right execution policy.

Creating a SecureString object

For dealing with the sensitive data like credit card info…. Create a secure object which is encrypt the data.

Get-Credential cmdlet or the [System.Management.Automation.PSCredential] type

PS (1) > read-host -AsSecureString -prompt “Password”

Password: ***

System.Security.SecureString

$ss = new-object System.Security.SecureString

PS (12) > $ss.MakeReadOnly()

PS (13) > $ss.IsReadOnly()

This way we can make secure string as readonly where only read is permitted.

 

$secureString = ConvertTo-SecureString “Secure” `

-AsPlainText –Force

There are two cmdlets ConvertTo-SecureString and ConvertFrom-SecureString. they uses the Windows Data Protection API(DPAPI)

Certificates:

Code should be used by user to whom we trust that’s come with “Certificates”. To create a certificate we require makecert.exe generally it  will be there on you system by default or build in on SDK you can download

http://msdn.microsoft.com/en-us/windowsserver/bb980924.aspx

makecert.exe

get-command makecert.exe | fl

Set-AuthenticodeSignature script.ps1 $certificate

To Export the certificate use

Certmgr.exe

credentials:

we can also use the AD credential for authentication using Get-Credential

Get-Credential

This will ask the authentication for the script

PS:\> $credential =Get-Credential

When we run the above script it will ask for the authentication credential.

Get-Acl cmdlet: access control lists (ACL) list the users who can access the scripts.

This entry was posted in Powershell and tagged . Bookmark the permalink.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.