It is usually an audit violation to run Powershell with an unrestricted Execution Policy. This allows you to use a profile without signing it, and it allows you to use modules without signing or unblocking them. It is also a security hole that 10 minutes can solve. -sr should be currentuser OR you should run the prompt with elevated privileges using use -sr localHost.
Signing a file
View certs: MMC - Add Snapin - Certificates
Select two passwords (or just one if you are not using this cert for anything other than local signing)
Path to the making a cert tool: C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin\makecert.exe
set the location to run the mkcert command from.
$> set-location "C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin\"
create a public private pair of certs. Note the password somewhere. You will need it later.
$> .\makecert -n "CN=PowerShell Local Certificate Root" -a sha1 -eku 1.3.6.1.5.5.7.3.3 -r -sv C:\Users\USER\Documents\Cert\TestRootPrivateSigningCertificate.pvk C:\Users\USER\Documents\Cert\PublicCertificate.cer -ss Root -sr CURRENTUSER
combine the certs into a PFX file
$> .\pvk2pfx -pvk C:\Users\erica\Documents\Cert\TestRootPrivateSigningCertificate.pvk -spc C:\Users\erica\Documents\Cert\PublicCertificate.cer -pfx C:\Users\USER\Documents\Cert\TestRootPrivateSigningCertificate.pfx
Import this into the local machine cert store using the Certificates snapin of the MMC
if you want to mark the private key exportable. you need the password.
$> .\makecert -pe -n "CN=PowerShell User" -ss MY -a sha1 -eku 1.3.6.1.5.5.7.3.3 -iv C:\Users\USER\Documents\Cert\TestRootPrivateSigningCertificate.pfk -ic C:\Users\USER\Documents\Cert\PublicCertificate.cer
$> mkdir c:\Users\CertStore
$> makecert c:\Users\CertStore\testCert.cer
$> makecert c:\Users\CertStore\testCert.cer
Add the signing cert to the Trusted Publishers folder in MMC
> $cert = @(get-childitem cert:\CurrentUser\my -codesigning)[0]
> Set-AuthenticodeSignature C:\Users\aldine\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 $cert
> set-ExecutionPolicy RemoteSigned
> get-ExecutionPolicy
Now you just need to right click each Powershell module and unblock it (if you do not see the option, it is unblocked)
> set-ExecutionPolicy RemoteSigned
> get-ExecutionPolicy
Now you just need to right click each Powershell module and unblock it (if you do not see the option, it is unblocked)
No comments:
Post a Comment