Find helpful customer reviews and review ratings for Automating Administration with Windows Powershell (A, Microsoft Official Course) at . Course: A: Automating Administration with Windows PowerShell Description: This course provides students with the knowledge and skills to utilize . MS Course A (PowerShell v2) Now Live. DonJ | Oct 07, Save. It’s been a long time coming, but the Microsoft course I designed and co-authored is .
|Published (Last):||19 July 2013|
|PDF File Size:||4.93 Mb|
|ePub File Size:||3.48 Mb|
|Price:||Free* [*Free Regsitration Required]|
The script security features for Windows PowerShell are specifically designed powershe,l help prevent some of the scripting-related security problems of older technologies, including Microsoft Visual Basic Scripting Edition VBScript. Windows PowerShell defaults to a secure state and enables you to modify that state to accommodate your scripting needs and a variety of security goals.
The IT industry has had ample experience with the security problems that scripting languages can create. The main security problem is that scripts can be an easy way to introduce malware into an environment, primarily because users can be convinced to execute scripts without really understanding what the script is doing or that they are even running a script.
This is not to say that the shell makes it impossible for users to run scripts because it does not. Rather, the shell makes it difficult— by default —for users to run scripts without realizing they are doing so. This reconfiguration does make it somewhat easier for malicious scripts to podershell the environment, and so the shell offers a range of security settings that let you strike the balance you want between powrrshell and security.
It is not intended to stop skilled users from executing scripts at all, merely to ensure that they do not do so without knowing what they are doing.
If you attend this class at a Microsoft Learning Partner, your instructor will lead the class in a demonstration of script security configuration. A determined user cannot be stopped from running a Windows PowerShell script simply by setting the execution policy.
That is not the purpose of the execution policy. Nor is the execution policy intended as a form of anti-malware. Keep in mind that no user can use a shell script to perform some task for which they do not have permission. Trust starts with a root Certification Powfrshell, or root CA. There are public CAs, and there are private companies that provide such certificates as a service, for a cost.
Many companies also have their own private root CAs. A digital certificate is a form of digital identity card. A digital certificate attests to the actual identity of a person or company, but that attestation is only as good as the trust you place in the company that issued the certificate.
MOC 10325 Automating Administration with Windows PowerShell 2.0
In other words, if a company contacts you online and claims to be Microsoft Corporation, you might look at their digital certificate. If that certificate is used to digitally sign a script, you also trust that script. A digital signature is made using the encryption keys that are part of a digital certificate.
The signature includes information about the certificate, including the identity of the certificate holder. If the signature and the contents of the script match, you know who signed the script, and you know that the script is exactly the same as it was when they signed it.
Again, that does not mean the script is harmless—but if it turned out to be malicious, you could use the certificate information from the signature to track down the signer. The gibberish at the end of the file is the digital signature. One way to do obtain one is from a public or private CA.
Public CAs generally charge a yearly fee for certificates. Private CAs are ones owned by your company and may be based on Windows Certificate Services or another certificate-management product. The type of certificate you need is a Class 3 certificate, also known as a code signing certificate. From a public CA, these are commonly more expensive than the Class 1 certificates used to encrypt or sign e-mails, and these also require usually more stringent identity verification.
Many CAs offer different variants of code signing certificates; you need a Microsoft AuthentiCode style certificate. You can also generate a locally trusted certificate using the MakeCert. A locally trusted certificate is trusted only by your local computer. Scripts signed using this kind of certificate are trusted for execution only on your local computer.
After you have installed a certificate, you use the Set-AuthenticodeSignature cmdlet to apply a signature to a script. The help file for this cmdlet contains details on how to use it, along with usage examples. Can you find an example of how to use it to sign a script? In practical use, the RemoteSigned execution policy is useful because it assumes that local scripts are ones that you create yourself, and you trust them. It does not require those scripts to be signed.
Scripts 1035a are downloaded from the Internet or received via e-mail, on the other hand, are not trusted unless they carry an intact, trusted digital signature. You could certainly still run those scripts—by running the shell under a lesser execution policy, for example, or even by signing the script yourself—but those are additional steps you have to take, so it is unlikely that you would be able to run such a script accidentally or unknowingly.
The AllSigned execution policy 103325a useful for environments where you do not want to accidentally run powwershell script unless is has an intact, trusted digital signature. This policy is less convenient because it requires you to digitally sign every script you write, and re-sign each script each time you make any changes to it. Some third-party Windows PowerShell script editors can automatically sign your scripts for you, making the process more transparent and less inconvenient.
The Restricted execution policy is perfect for any computer for which you do not run scripts or for which you run scripts only rarely. Keep in mind plwershell you could always manually open the shell with a less-restrictive execution policy. The Unrestricted execution policy is not usually appropriate for production environments because it provides little protection against accidentally or unknowingly running untrusted scripts.
If you attend this class at a Microsoft Learning Partner, your instructor will lead the class in a demonstration of signatures and CAs. Attend the full course at a Microsoft Learning Solutions partner near you and learn how to: All Microsoft Official Courses—including this one–are delivered by Microsoft Certified Trainers MCTs —industry-recognized experts—and offered through a network of more than podershell, Microsoft Certified Partners for Learning Solutions Learning Solutions partners in more than countries and regions throughout the world.
Office Office Exchange Server. Not an IT pro?
United States English Sign in. The content you requested has been removed. After completing this lesson, you will be able to: Explain the script security features, including filename extension association, execution policy, and current path searching.
Explain the role of trusted root Certification Authorities either commercial or private in shell script security. Set the shell execution policy locally and in a domain environment.
Explain how to digitally sign a script. Script Concerns The IT industry has had ample experience with the security problems that scripting languages can create.
Security Features The shell offers three core security 10325s related to scripts: By default, double-clicking a. The shell does not search the current path for script files. Thus, if you type myscript into the shell, it does not execute the myscript.
Instead, you would need to specify either an absolute or a relative path—such as. This behavior helps to prevent a form of attack called command hijacking, where a script executes instead of an internal command that has powershel same name. The shell has a script Execution Policy that determines what scripts are permitted to run, and by default this setting is set to Restricted, which disables script execution entirely.
A downloadable Group Policy administrative template poweershell available from http: Any execution policy set via Group Policy overrides any locally configured setting. Users can execute Windows PowerShell using powershell. This action overrides any local setting.
There are five settings for poqershell execution policy: This is the default setting, and Windows PowerShell does not execute scripts, except for a few Microsoft-provided, digitally-signed scripts that contain shell configuration defaults. This setting allows any script to be executed. However, remote scripts—those executed from a network location, those downloaded from the Internet using Internet Explorer, or those received in e-mail in Microsoft Office Outlook—must carry an intact, trusted digital signature.
This setting allows any powdrshell to execute provided it carries an intact, trusted digital signature. This setting allows any script to execute. This setting bypasses the execution policy entirely, allowing any script to execute. Related Content Course Automating Administration with Lowershell PowerShell 2. Execution Policy is Not Anti-Malware A determined user cannot be stopped from running a Windows PowerShell script simply by setting the execution policy.
So what is trust? Signing a Script To sign a script, you first need to obtain a trusted digital certificate. Selecting an Powesrhell Policy In practical use, the RemoteSigned execution policy is useful because it assumes that local scripts are ones powetshell you create yourself, and you trust them.
What execution policy might be appropriate for your environment? Explain how Windows PowerShell works. Use Windows PowerShell as an interactive, command-line shell. Use Core Windows PowerShell cmdlets for everyday purpose. Write basic Windows PowerShell scripts that execute batches of commands.
Identify the best practices for working with Windows PowerShell.