Day 29 Advance Security
As discussed in earlier blog about “Security” Day 7. Continue on that we will discuss here -what all security features Powershell provides. How to use them.
Security is good but securing the things without using is of no use, don’t use the code that will be secure, we write code to use it. as Powershell is like other shell we can execute the code so we need write considering Security.
Powershell developer has consider the security very seriously and has made this product perfrect and tried to make it as secure and powerful as possible. It’s being heavily used because of its seruity.
Powershell is considering against the following Virus/Warms:
>>The Danom virus
>>The MSH/Cibyz worm
There is no exception about security Powershell compaire to any other programming language coding.
- Avoid input from user
- Avoid descriptive errors
- Avoid use of passwords on code.
- Avoid provide full access/permission for executer
- Authenticate the user before executing code.
- Powershell code is default save as text file –secure.
- Consider “Code Injection” while writing code.
- Avoid running script from remote location
- use proper “Execution Policy” by Powershell
- Sign the script and validate it.
- Encrypt the code.
- Avoid Invoke-Expression
- Try to make short code.
For safe side Powershell scripts never be executable, by default it opens with notepad.
as invoke-expression execute the cmd with “;” concatenating command as well.
Eg.PS :\> $cmd=1+1
PS :\>invoke-expression $cmd
PS :\>invoke-expression $cmd ; “Vinay”
PS :\>invoke-expression $cmd ; del –force c:\”
Bhoom…. That’s why avoid use of invoke-expression this can be used in Code Injection.
PATH & TEXTPATH:
Make a note of environmental variable PATH & TEXTPATH, as this paths are used to executables.
Chose right execution policy: we already discussed about execution policy on day 7. Make sure to choose right execution policy.
Creating a SecureString object
For dealing with the sensitive data like credit card info…. Create a secure object which is encrypt the data.
Get-Credential cmdlet or the [System.Management.Automation.PSCredential] type
PS (1) > read-host -AsSecureString -prompt “Password”
$ss = new-object System.Security.SecureString
PS (12) > $ss.MakeReadOnly()
PS (13) > $ss.IsReadOnly()
This way we can make secure string as readonly where only read is permitted.
$secureString = ConvertTo-SecureString “Secure” `
There are two cmdlets ConvertTo-SecureString and ConvertFrom-SecureString. they uses the Windows Data Protection API(DPAPI)
Code should be used by user to whom we trust that’s come with “Certificates”. To create a certificate we require makecert.exe generally it will be there on you system by default or build in on SDK you can download
get-command makecert.exe | fl
Set-AuthenticodeSignature script.ps1 $certificate
To Export the certificate use
we can also use the AD credential for authentication using Get-Credential
This will ask the authentication for the script
PS:\> $credential =Get-Credential
When we run the above script it will ask for the authentication credential.
Get-Acl cmdlet: access control lists (ACL) list the users who can access the scripts.