Checking PowerShell Security

by Dec 30, 2014

PowerShell 2.0 and later

This sample code finds all PowerShell scripts in a given drive, then checks the scripts for valid digital signatures, and reports those scripts that either have no signature, or have an invalid signature:

Get-ChildItem C:\ -Filter *.ps1 -Recurse |
  Where-Object { $_.Extension -eq '.ps1' } |
  Get-AuthenticodeSignature |
  Where-Object { $_.Status -ne 'Valid' } 

"Fine", you may argue, "but we do not have code signing certificates or a PKI". That's not a problem. Digital signatures are all about trust. So even with free self-signed certificates you can establish trust. You just need to declare whom you trust.

Instead of relying on the Windows "root certificate authorities" that require expensive official code signing certificates, for your internal security audits, you could use a home brewed solution like this:

$whitelist = @('D3037720F7E5CF2A9DBA855B65D98C2FE1387AD9', 

Get-ChildItem y:\Advanced -Filter *.ps1 -Recurse |
  Where-Object { $_.Extension -eq '.ps1' } |
  Get-AuthenticodeSignature |
  Select-Object -ExpandProperty SignerCertificate |
  Where-Object { $whitelist -notcontains $_.Thumbprint -or $_.Status -eq 'HashMismatch'  } 

Simply add the unique certificate thumbprints of any certificate you trust to your whitelist. It now does not matter anymore whether the certificate is self-signed or not. The whitelist is all that matters, and it also is your personal "revocation list": if you no longer trust a particular certificate, or a certificate gets lost, simply remove its thumbprint from your whitelist.

The generated report includes any script that is not validly signed with one of the certificates in your whitelist. If a script was signed with one of the certificates in your whitelist, but then changed, it would also appear in your report.

Twitter This Tip! ReTweet this Tip!