SANS Institute has started offering PowerShell security classes. I guess this means PowerShell is clearly getting traction. This also got me thinking of PowerShell security features in general.
PowerShell has been obviously designed with much more security in mind than VBScript or cmd.exe:
- By default
.ps1script files are associated with Notepad. Double-clicking a script does not start it. - To reference a script in PowerShell you have to specify file path, so even if a script is called
dir.ps1typing indirwill not start it. The shortest way to reference it is.\dir.ps1. - And finally execution policies by default won’t allow you to run any scripts at all. You can lift the limitation up a bit by allowing to run scripts signed by trusted authorities.
(Anything else I am missing?)
There are a few things I personally would like to see added in next releases:
- Make execution policies more granular to specify that scripts need to be signed by a specific certificate (the one my company’s IT is using) and not just any trusted one.
- Add built-in protection against code-injection. Right now each script creator needs to handle that him-/herself. Once the protection is in the platform everything is going to be much more secure!
- Fix the ability to retrieve clear text password from credentials prompt (issue found by Martin):
PS C:\> $creds = get-credential
PS C:\> $creds.GetNetworkCredential()UserName Password-------- --------Admin Qwerty!
(Anything else? Comments are welcome!)
There are some additional security features which are already available commercially from companies like Quest and SAPIEN (sorry if there are more which I have not referenced – please add in the comments) like:
- Impersonating scripts/command-line for helpdesk and other limited rights scenarios.
- Auditing.
- Approval workflows.
So I think that the summary would be that PowerShell has gone a long way to become a much more secure command-line and scripting environment than we used to have before. There is room for improvements but this is only v1, right? I am sure there’s more to come!
Dmitry
Tags: PowerShell, Security
Subscribe by email
Hiya, Dmitry
About point 3 (GetNetWorkCredentials )
this is by design, what use does it have to store a secret if you can not get to it after, as this is using DPAPI only the user who did put it there can get it out ;
See also http://mow001.blogspot.com/2005/11/get-credential-and-decrypting.html
you can also use ryndael encreption as you want :
http://mow001.blogspot.com/2005/11/more-on-cryptograpy-and-msh.html
Greetings /\/\o\/\/
Thanks for the comments, Dmitry.
These are good suggestions, and topics we are thinking about. As MoW mentions, accessing your own protected data is not a security vulnerability, although it may be a surprise. I wrote a bit more about it here: http://www.leeholmes.com/blog/PowerShellCredentialsAndGetNetworkCredential.aspx
Its still a long road. Check out the results from the recent scripting poll:
http://www.myitforum.com/absolutepm/Polls/Scripting.asp
I wouldn’t call 135 respondants statistically significant enough to postulate that its “still a long road”
How about the download count for Powershell, over a million unique users in 6 months? A self reporting metric like that seems more accurate (more or less) than one survey on one site that (seems to me) focus on Vbscript (not a bad thing).
James Pogran
I think both James and Rod are right here.
I agree that it is hard to call it statistically significant, however, I think there’s no doubt that at the moment VBScript is far more popular. Just Google for VBScript and PowerShell and compare the number of pages you get.
A million downloads is a great indicator of the interest the technology is getting – but this does not mean a million users. One of the issues hindering widespread use is lack of platform support out of the box. Get-Process and Get-System don’t cover all administrative tasks, and most Exchange folks are still on 2000 and 2003.
However, I think this is starting to change. AD cmdlets are a great application of PowerShell, Exchange 2007 will get SP1 pretty soon and will start to get traction, etc., etc.