PowerShell Security

SANS Institute has started offering PowerShell security classes. I guess this means PowerShell is clearly getting traction. This also got me thinking of PowerShell security features in general.

PowerShell has been obviously designed with much more security in mind than VBScript or cmd.exe:

  1. By default .ps1 script files are associated with Notepad. Double-clicking a script does not start it.
  2. To reference a script in PowerShell you have to specify file path, so even if a script is called dir.ps1 typing in dir will not start it. The shortest way to reference it is .\dir.ps1.
  3. And finally execution policies by default won’t allow you to run any scripts at all. You can lift the limitation up a bit by allowing to run scripts signed by trusted authorities.

(Anything else I am missing?)

There are a few things I personally would like to see added in next releases:

  1. Make execution policies more granular to specify that scripts need to be signed by a specific certificate (the one my company’s IT is using) and not just any trusted one.
  2. Add built-in protection against code-injection. Right now each script creator needs to handle that him-/herself. Once the protection is in the platform everything is going to be much more secure!
  3. Fix the ability to retrieve clear text password from credentials prompt (issue found by Martin):

PS C:\> $creds = get-credential
PS C:\> $creds.GetNetworkCredential()

UserName                                Password--------                                --------

Admin                                   Qwerty!

(Anything else? Comments are welcome!)

There are some additional security features which are already available commercially from companies like Quest and SAPIEN (sorry if there are more which I have not referenced – please add in the comments) like:

  1. Impersonating scripts/command-line for helpdesk and other limited rights scenarios.
  2. Auditing.
  3. Approval workflows.

So I think that the summary would be that PowerShell has gone a long way to become a much more secure command-line and scripting environment than we used to have before. There is room for improvements but this is only v1, right? I am sure there’s more to come!


Tags: ,


9 Responses to “PowerShell Security”

  1. 1 /\/\o\/\/ July 27, 2007 at 10:02 am

    Hiya, Dmitry

    About point 3 (GetNetWorkCredentials )

    this is by design, what use does it have to store a secret if you can not get to it after, as this is using DPAPI only the user who did put it there can get it out ;

    See also http://mow001.blogspot.com/2005/11/get-credential-and-decrypting.html

    you can also use ryndael encreption as you want :

    Greetings /\/\o\/\/

  2. 2 Lee July 27, 2007 at 5:33 pm

    Thanks for the comments, Dmitry.

    These are good suggestions, and topics we are thinking about. As MoW mentions, accessing your own protected data is not a security vulnerability, although it may be a surprise. I wrote a bit more about it here: http://www.leeholmes.com/blog/PowerShellCredentialsAndGetNetworkCredential.aspx

  3. 3 Rod Trent July 27, 2007 at 9:47 pm

    Its still a long road. Check out the results from the recent scripting poll:


  4. 4 James Pogran August 2, 2007 at 1:10 pm

    I wouldn’t call 135 respondants statistically significant enough to postulate that its “still a long road”

    How about the download count for Powershell, over a million unique users in 6 months? A self reporting metric like that seems more accurate (more or less) than one survey on one site that (seems to me) focus on Vbscript (not a bad thing).

    James Pogran

  5. 5 dmitrysotnikov August 3, 2007 at 10:50 am

    I think both James and Rod are right here.

    I agree that it is hard to call it statistically significant, however, I think there’s no doubt that at the moment VBScript is far more popular. Just Google for VBScript and PowerShell and compare the number of pages you get.

    A million downloads is a great indicator of the interest the technology is getting – but this does not mean a million users. One of the issues hindering widespread use is lack of platform support out of the box. Get-Process and Get-System don’t cover all administrative tasks, and most Exchange folks are still on 2000 and 2003.

    However, I think this is starting to change. AD cmdlets are a great application of PowerShell, Exchange 2007 will get SP1 pretty soon and will start to get traction, etc., etc.

  1. 1 “PowerShell credentials in clear text” follow-up « Dmitry’s PowerBlog: PowerShell and beyond Trackback on August 2, 2007 at 8:09 am
  2. 2 PowerShell vs VBScript Survey « Dmitry’s PowerBlog: PowerShell and beyond Trackback on August 3, 2007 at 8:05 am
  3. 3 Mark’s (we)Blog » How Windows PowerShell exposes passwords in clear text Trackback on August 22, 2007 at 10:24 pm
  4. 4 Unintuitive expression behavior in pipelines « Dmitry’s PowerBlog: PowerShell and beyond Trackback on September 13, 2007 at 8:16 am

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

My Recent Tweets


The posts on this blog are provided “as is” with no warranties and confer no rights. The opinions expressed on this site are mine and mine alone, and do not necessarily represent those of my employer - WSO2 or anyone else for that matter. All trademarks acknowledged.

© 2007-2014 Dmitry Sotnikov

July 2007
« Jun   Aug »

%d bloggers like this: