They have a similar deal for MVPs - good company. Your example doesn't use timestamping (-TimestampServer). You are going to be in for an unpleasant surprise when your cert expires and all the stuff you signed with it suddenly stops working.
signtool is the magic command line tool that will sign most anything. Thanks, Brian Desmond [email protected] w - 312.625.1438 | c - 312.731.3132 From: Webster [mailto:[email protected]] Sent: Wednesday, April 04, 2012 5:22 PM To: NT System Admin Issues Subject: RE: Script signing ? I offer a Signed version of all my PowerShell scripts as I know some places will only allow Signed scripts. DigiCert gives CTPs free certs so it was an easy process for me to go through to receive a code signing cert. To make it easy for me to remember the signing process, I wrote an article. http://carlwebster.com/how-to-digitally-sign-a-microsoft-powershell-script-with-a-third-party-code-signing-certificate/ Thanks Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.com<http://www.carlwebster.com/> From: Brian Desmond [mailto:[email protected]] Subject: RE: Script signing ? I sign all my scripts with a commercial code signing cert. PowerShell in particular by default requires this. If you have an internal PKI you should be able to get a code signing cert off of there. They require some effort to get commercially because of the risk involved in issuing something that connotes a fairly high degree of trust. IMO it's a good practice. Most any script or binary that leaves my computer gets signed. Thanks, Brian Desmond [email protected]<mailto:[email protected]> w - 312.625.1438 | c - 312.731.3132 From: Christopher Bodnar [mailto:[email protected]]<mailto:[mailto:[email protected]]> Subject: Script signing ? Anyone have to implement a policy regarding signed scripts due to an internal or external audit? Had an internal audit recently and one of the "observations" was this: A script is a program written by an end user to execute an application. It may be used for a variety of purposes, including logon scripts, administration and general automation. A script executed by privileged accounts creates security risks unless it is tightly controlled and protected from unauthorized changes or malicious coding. A signed script ensures the code was reviewed, approved and free from malicious coding. Audit noted that administrators can execute unsigned scripts from any workstation or server. Execution of a compromised script by an administrator increases the risk that unauthorized access or unauthorized changes on the network and data can occur With this as the "recommendation": Evaluate the feasibility of restricting administrators, administrative workstation and domain controllers from executing unsigned scripts. So I've been looking at the feasibility of actually doing something like this with combinations of Software Restriction Policies (certificate policies) and possibly AppLocker. Which look to be a nightmare to try and implement. The auditor has agreed to the following, which will be much less intrusive: All scripts created by Domain Admins for Domain admins, going forward would be signed Creating a policy document Creating documentation for the process Training the admins on the new process Obviously nothing is enforcing this, but it's a start. Just wondered if others have gone through something similar. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
