Author Posts

February 19, 2018 at 4:58 pm

I am trying to understand how PowerShell scripts authenticate with a remote PC. I am not talking about PowerShell remoting, but with cmdlets, etc. A colleague is suggesting I use psexec with the SYSTEM switch so that the kerberos token is sent to the remote PC, but not the ID or password. I initially thought PowerShell was doing that same as long as I wasn't specifying my username/password in the script itself (get-credential, etc).

Example of PowerShell script that runs on remote PC:

$Computer = 'COMPUTER1'
Try
{
	$filter = "(&(objectCategory=computer)(objectClass=computer)(cn=$Computer))"
	$ComputerObject = ([adsisearcher]$filter).FindOne()
	$CertStore = New-Object System.Security.Cryptography.X509Certificates.X509Store "\\$Computer\My", "LocalMachine" -ErrorAction Stop
	$CertStore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadOnly)
	If ($CertStore.Certificates)
	{
				
		Foreach ($Cert in $CertStore.Certificates)
        {
        ### PERFORM ACTION WITH EACH CERT... ###
        }
    }
}
Catch{
    ### CATCH ERRORS ###
}

Is the above not secure? Any suggestions, etc. would be greatly appreciated. I'd prefer to use PowerShell as it was designed instead of having to use psexec. Psexec will not be efficient when running runspaces, jobs, etc. with 10+ scripts running at once. Is there a way to have PowerShell use the local system account if this IS an issue?

February 19, 2018 at 5:03 pm

"Secure" is not an absolute term; nothing is "secure." Some things can be "more secure" than others.

Aside from PowerShell Remoting, PowerShell really has nothing to do with authentication to remote computers. That's handled entirely by the underlying technology, and so what happens will differ depending on what you're doing. The "go forward" direction in PowerShell is to use Remoting, which does not cache credentials.

I'm not certain what the System.Security.Cryptography.X509Certificates.X509Store class does in terms of authentication, but I seriously doubt the remote computer is caching anything from the connection. I'm guessing it's just using Kerberos to delegate whatever credential you're using to run PowerShell locally. That's pretty standard in Windows. Give that you're not _specifying_ a password, it'd be difficult for your script to pass along a password. Your local computer certainly doesn't cache a clear-text password; even NTLM pass-through authentication typically uses a different mechanism than that. But again, this is more about the underlying technology. PowerShell isn't doing a thing with your credential in this case, it's being done by the .NET System.Security.Cryptography.X509Certificates.X509Store class.

February 19, 2018 at 9:24 pm

Thanks for the clarification!