Thursday, February 17, 2011

What can I do with windows powershell part6

Security and Security Descriptors


The following articles provide a brief introduction to carrying out security-related tasks by using Windows PowerShell; these tasks include such things as configuring the Windows PowerShell script execution policy and retrieving the digital signature or security descriptor from a file or folder. As is so often the case with Windows PowerShell, the code snippets found in these articles can either be included within a Windows PowerShell script or typed directly into the Windows PowerShell console.


Using the Set-ExecutionPolicy Cmdlet

Changing the Windows PowerShell Script Execution Policy

The Set-ExecutionPolicy cmdlet enables you to determine which Windows PowerShell scripts (if any) will be allowed to run on your computer. Windows PowerShell has four different execution policies:
  • Restricted - No scripts can be run. Windows PowerShell can be used only in interactive mode.
  • AllSigned - Only scripts signed by a trusted publisher can be run.
  • RemoteSigned - Downloaded scripts must be signed by a trusted publisher before they can be run.
  • Unrestricted - No restrictions; all Windows PowerShell scripts can be run.
To assign a particular policy simply call Set-ExecutionPolicy followed by the appropriate policy name. For example, this command sets the execution policy to RemoteSigned:
Set-ExecutionPolicy RemoteSigned


Using the Get-ExecutionPolicy Cmdlet

Listing the Windows PowerShell Script Execution Policy

The Get-ExecutionPolicy cmdlet simply tells you which of the four execution policies (policies that determine which Windows PowerShell scripts, if any, will run on your computer) is currently in-force. The Windows PowerShell execution policies include the following:
  • Restricted - No scripts can be run. Windows PowerShell can be used only in interactive mode.
  • AllSigned - Only scripts signed by a trusted publisher can be run.
  • RemoteSigned - Downloaded scripts must be signed by a trusted publisher before they can be run.
  • Unrestricted - No restrictions; all Windows PowerShell scripts can be run.
To determine the execution policy simply run the cmdlet without any parameters:
Get-ExecutionPolicy
 To change the execution policy, use the Set-ExecutionPolicy cmdlet.


Using the Get-Acl Cmdlet

Retrieving the Security Descriptor for an Object

The Get-Acl cmdlet enables you to retrieve the security descriptor (access control list) for a file, a folder, or even a registry key. Note that, in order to view complete information for an object, you should pipe the results of Get-Acl through the Format-List cmdlet. For example, this command retrieves the security descriptor for the folder C:\Scripts, then displays that information as a list:
Get-Acl c:\scripts | Format-List
 The resulting display will look something like this:
Path   : Microsoft.Windows PowerShell.Core\FileSystem::C:\scripts
Owner  : FABRIKAM\kenmyer
Group  : FABRIKAM\Domain Users
Access : BUILTIN\Administrators Allow  FullControl
         NT AUTHORITY\SYSTEM Allow  FullControl
         FABRIKAM\kenmyer Allow  FullControl
         CREATOR OWNER Allow  268435456
         BUILTIN\Users Allow  ReadAndExecute, Synchronize
         BUILTIN\Users Allow  AppendData
         BUILTIN\Users Allow  CreateFiles
Audit  :
Sddl   : O:S-1-5-21-1454471165-1004336348-1606980848-8183G:DUD:(A;OICIID;FA;;;B
         A)(A;OICIID;FA;;;SY)(A;ID;FA;;;S-1-5-21-1454471165-1004336348-16069808
         48-8183)(A;OICIIOID;GA;;;CO)(A;OICIID;0x1200a9;;;BU)(A;CIID;LC;;;BU)(A
         ;CIID;DC;;;BU)
 Had we called Get-Acl without piping the results through Format-List the resulting display would have looked more like this:
Path                       Owner                      Access
----                       -----                      ------
Microsoft.Windows PowerShell.Co... BUILTIN\Administrators     FABRIKAM\kenmyer Allow ...
 Not quite as easy to decipher, to say the least.
Right, we did mention that Get-Acl can return the security descriptor for a registry key, didn’t we? This command returns security information for HKEY_CURRENT_USER\Software\Microsoft\Windows:
Get-Acl HKCU:\Software\Microsoft\Windows
 You can also use wildcard characters to retrieve a set of objects. Need to review the security settings for all the .log files in C:\Scripts? Here you go:
Get-Acl c:\scripts\*.log | Format-List


Using the Get-AuthenticodeSignature Cmdlet

Retrieving Digital Signatures

The Get-AuthenticodeSignature cmdlet enables you to retrieve information about the digital signature (if any) that was used to sign a file. For example, this command retrieves any digital signatures used on the Windows PowerShell executable file:
Get-AuthenticodeSignature "C:\Program Files\Windows PowerShell\v1.0\Windows PowerShell.exe"
 And here’s the type of data that comes back:
SignerCertificate                         Status             Path
-----------------                         ------             ----
564E01066387F26C912010D06BD78D3CF1E845AB  Valid              Windows PowerShell.exe
 If a file (such as C:\Scripts\Test.txt) has not been digitally signed then you’ll get back data similar to this:
SignerCertificate                         Status             Path
-----------------                         ------             ----
                                          UnknownError       test.txt
Posted by ITKB at 3:49 AM
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)