|
 |  |  |  |  |  |  |
| Welcome to Windows Vista Forums. Our forum is dedicated to helping you find solutions with any problems, errors or issues you are experiencing with Windows Vista. The Vista forum also covers news and updates and has an extensive Windows Vista tutorial section that covers a wide range of tips and tricks. |
| |||||||
 |
| |
07-13-2009
| #1 (permalink) |
| | Running a script signed only by a known publisher I have an icon on a desktop which runs a powershell script on a USB drive. I would like to ensure that this icon only runs scripts which have been signed by me (even more restrictive than any signed). I am using PowerShell 1 - is this possible? |
My System Specs |
|
07-13-2009
| #2 (permalink) |
| | Re: Running a script signed only by a known publisher yes it is possible (not always) - just place your signing certificate in certmgr.msc -> Trusted Publishers container. However anyone can add their signing certificates and run their own signed scripts. Therefore you have only one solution: implement Software Restriction Policies. In SRP group policy section open Trusted Publishers node and choose: Allow only all administrators to manage Trusted Publishers. And in Additional Rules create certificate rule specifying your particular certificate. And add PS1 file type to Designated File Types (only for PowerShell 1.0). Unfortunately this trick has known issues. I want to explain this issue. Signing certificate trust is very hard question. To trust particular code signing certificate you should meet next: 1) place sigining certificate to Trusted Publishers container of users or computer certificate store 2) place root certificate of this signing certificate in Trusted Root CAs of users or computer certificate store. 3) if there are any intermediate CAs in cert path, then you should add all certificate chain to Intermediate CAs container of users or computer cert store. And you can run any scripts (that are signed by you or something else). To avoid this you should create Software Restriction Policies with Default Level = Disallowed and made changes as I've mentioned. Looks like all should be ok. But not always we can block users to add their certificates to Trusted Publishers, because this trick uses many applications, such Windows Update (in windows xp/2003), Windows Defender, all Windows Live applications (such, Live Mail, Live Sync, Live Mesh, Live Messenger, etc). For example, how these SRP settings can impact to Windows Update? When you manually push Install Updates - Windows Update service silently (on your behalf) add each update certificate (of course, each update is digitally signed) in Trusted Publishers container. After this WU service run update file, extract it to a folder with random name in a root of any volume (where is the most free space). Only this guarantees that WU will work correctly with SRP enabled policy. The same does Windows Live applications and Windows Defener and they require the ability to add certificates to Trusted Publishers container.. Therefore you should choose between working WU, WL, WD and security. What you choose - is your choose. -- WBR, Vadims Podans MVP: PowerShell PowerShell blog - www.sysadmins.lv "James Berry" <JamesBerry@xxxxxx> rakstīja ziņojumā "news:3201EEC4-9D2B-4E26-A975-7115C73F8906@xxxxxx"... Quote: > I have an icon on a desktop which runs a powershell script on a USB drive. > I > would like to ensure that this icon only runs scripts which have been > signed > by me (even more restrictive than any signed). > > I am using PowerShell 1 - is this possible? |
| My System Specs |
|
| Thread Tools | |
| |
Similar Threads | ||||
| Thread | Forum | |||
| error running script | PowerShell | |||
| running script error | PowerShell | |||
| Software publisher has been blocked from running | General Discussion | |||
| first time with signed script | PowerShell | |||
| Help on running a a script | PowerShell | |||
