Securing PowerShell: Script Signing with PowerShell Administration Scripts

Securing PowerShell – Learn how to enhance the security of your PowerShell scripts by signing them. This comprehensive guide covers methods using both self-signed certificates and

Useful external reference: Microsoft Learn.

Securing PowerShell – The article provides a guide on how to sign PowerShell scripts using two methods:

Useful external reference: Microsoft Learn.

  • With a Self-Signed Certificate:
  • With An Internal PKI

With a self-signed certificate.

Creating the Certificat

  • Creating the certificate in PowerShell
$NomSujet = "ScriptPowerShell"

# Create certificate
$MoncertificatPowershell = New-SelfSignedCertificate -FriendlyName "Certificat Powershell auto signe" -Subject $NomSujet -Type CodeSigningCert -CertStoreLocation Cert:LocalMachineMy  -NotAfter (Get-Date).AddYears(10)

# Add certificate to "Autorités de certification racine de confiance"
$rootStore = [System.Security.Cryptography.X509Certificates.X509Store]::new("Root","LocalMachine")
$rootStore.Open("ReadWrite")
$rootStore.Add($MoncertificatPowershell)
$rootStore.Close()

# Add certificate to "Éditeurs approuvés"
$publisherStore = [System.Security.Cryptography.X509Certificates.X509Store]::new("TrustedPublisher","LocalMachine")
$publisherStore.Open("ReadWrite")
$publisherStore.Add($MoncertificatPowershell)
$publisherStore.Close()

 Certificate Verification

Securing PowerShell – To verify that the certificate exists

Useful external reference: Microsoft Learn.

Get-ChildItem Cert:LocalMachineMy -CodeSigningCert

Script Signature

  • To sign the PowerShell script
$Certificat     = Get-ChildItem Cert:LocalMachineMy -CodeSigningCert
$Script        = "C:tempscriptasigner.ps1"
$TimestampServer   = "http://timestamp.comodoca.com/authenticode"
Set-AuthenticodeSignature $Script -Certificate $Certificat  -TimestampServer $TimestampServer
  • The script will be modified to include the certificate
Securing PowerShell: Script Signing with PowerShell Administration Scripts screenshot

Execution

  • Enforce the execution of signed scripts.
Set-ExecutionPolicy AllSigned
  • You can run your signed scripts. If the script is modified, you will need to sign your script again.
Securing PowerShell: Script Signing with PowerShell Administration Scripts screenshot

Execution on Another computer

Certificate export

#C'est la même variable que pour la création du certificat en debut d'article
$NomSujet = "ScriptPowerShell"

$PathCertToUse = "Cert:LocalMachineMy" + (Get-ChildItem -Path Cert:LocalMachineMy -CodeSigningCert | Where{ $_.Subject -eq "CN=$NomSujet" }).Thumbprint
PS C:temp> Export-Certificate -Cert $PathCertToUse -Type CERT -FilePath C:TempScriptPowerShell.cer

Manually import the certificate

#Importer le certificat pour la machine
Import-Certificate -CertStoreLocation Cert:LocalMachineMy -FilePath "C:tempScriptPowerShell.cer"

# Importer le certificat dans "Autorités de certification racine de confiance"
Import-Certificate -CertStoreLocation Cert:LocalMachineRoot -FilePath "C:tempScriptPowerShell.cer"

# Importer le certificat dans "Éditeurs approuvés"
Import-Certificate -CertStoreLocation Cert:LocalMachineTrustedPublisher -FilePath "C:tempScriptPowerShell.cer"

Import By GPO

Securing PowerShell: Script Signing with PowerShell Administration Scripts screenshot

Sign Your PowerShell Scripts with an Internal PKI

Create certificate

On the PKI

  • On the PKI, run the following command to create the template (only once).
Add-CATemplate -Name CodeSigning

On Your Computer

  • On the computer where the PowerShell will be encrypted, launch an MMC console and open the Certificates module (User).
  • Request a certificate.
Securing PowerShell: Script Signing with PowerShell Administration Scripts screenshot
  • The certificate is available for 1 year.
Securing PowerShell: Script Signing with PowerShell Administration Scripts screenshot

Export the certificate

Securing PowerShell – On the computer where the PowerShell will be encrypted, with the previous MMC console

Useful external reference: Microsoft Learn.

  • Select the certificate, then start the export.
Securing PowerShell: Script Signing with PowerShell Administration Scripts screenshot
  • Select the default options.
Securing PowerShell: Script Signing with PowerShell Administration Scripts screenshot

Encrypt your PowerShell

Securing PowerShell – On the computer where the PowerShell will be encrypted.

Useful external reference: Microsoft Learn.

  • Enter the commands to encrypt your PowerShell.
$Certificat     = Get-ChildItem Cert:CurrentUserMy -CodeSigningCert
$Script        = "C:tempScriptAsigner.ps1"
$TimestampServer   = "http://timestamp.comodoca.com/authenticode"
Set-AuthenticodeSignature $Script -Certificate $Certificat  -TimestampServer $TimestampServer

Execute

  • Enforce the execution of signed scripts
Set-ExecutionPolicy AllSigned
  • Execution of the script

Securing PowerShell – If you run the script, you will get an error message

Useful external reference: Microsoft Learn.

Securing PowerShell: Script Signing with PowerShell Administration Scripts screenshot

Securing PowerShell – You need to deploy the certificate via GPO to the trusted publishers by GPO

Useful external reference: Microsoft Learn.

Securing PowerShell

Useful external reference: Microsoft Learn.

Deployment by GPO

  • Create a COMPUTER GPO and deploy the certificate to the “Trusted Publishers”
  • Apply the GPO to your computers.
Securing PowerShell: Script Signing with PowerShell Administration Scripts screenshot
  • Launch GPupdate on your computer

Securing PowerShell

Useful external reference: Microsoft Learn.

Securing PowerShell – Once the GPO is applied, the script executes normally.

Useful external reference: Microsoft Learn.

Securing PowerShell: Script Signing with PowerShell Administration Scripts screenshot