strong private key protection for code signing certificate

When working with powershell script it is a good idea to sign your script if you plan on using them in your production environment. You can easily get a code signing script from your enterprise ca (active directory certificate service) or generate a self sign. There are multiple place explaining that and I got my basic stuff from here:

https://www.darkoperator.com/blog/2013/3/5/powershell-basics-execution-policy-part-1.html

What is not mentioned is that you should protect your code signing certificate with "strong private key protection". To do that you have to export your current code signing certificate in PFX with the private key and then import it back (it can be done on the same computer) using the "strong private key protection" check box in the import option as shown in the picture below. At the end of the import process you will have an additionnal prompt to enter the password used to protect your private key. Obviously if you plan on protecting your private key with a password it's a good idea to NOT mark it as exportable...

Here is the password prompt for the private key protection.

 

Now each time you will try to use this certificate you will be prompted to enter this password.

My first Powershell funciton... Sign-Script

I'm starting to play more with powershell and for some need that we have I had to start signing script. I found many place on the internet  that explain how to get the code signing certificate from our corporate CA and then sign the script using timestamp so that script still works when the certificate expire as the timestamp certify that the certificate was valid at the time it was signed. This generates a pretty long command so I wrote my first powershell function... Sign-Script to leverage this, you can place this in your powershell profile (profile.ps1) to have it available each time you run powershell
profile.ps1

Powershell profile ref: https://technet.microsoft.com/en-us/library/2008.10.windowspowershell.aspx 

Code signing ref: https://www.darkoperator.com/blog/2013/3/5/powershell-basics-execution-policy-part-1.html

So without further delay here it comes...

#Begin copy after this line
#----------------------------------------------------------------------------------------------------

 <#
.Synopsis
   Sign the specified script with the first code signing certificate of the current user
   and with a default TimeStamping URL.

.DESCRIPTION
   This function allow you so sign a script with a timestamp so that your script will be
   valid even when the signing certificate expire. It also allow you to not have to type
   the full path to the signing certificate since it will use the first
   "Code Signing Certificate" available in the local User certificate store. This funciton
   also use a default "time stamping URL" so that you don't need to

.PARAMETER scriptname
    The script name including the full path that you want to sign

.PARAMETER cert
    A path to a code signing certificate.  The default is the first code signing script of
    the local user.
   
.PARAMETER TimeStampingServer
    URL to a time stamping server. The default is "http://timestamp.comodoca.com/authenticode".
   
.EXAMPLE
   Sign-cert c:\script\test.ps1

.EXAMPLE
   Sign-cert -scriptname c:\script\test.ps1 -cert gci cert:\CurrentUser\My -codesigning | where -Filter {$_.FriendlyName -eq "Thawte Code Signing"} -IncludeChain All -TimeStampServer "http://timestamp.verisign.com/scripts/timstamp.dll"
#>
function Sign-Script
{
    [CmdletBinding()]
    [Alias("Sign")]
    Param
    (
       # Description d’aide param1
       [Parameter(Mandatory=$true,
                   ValueFromPipeline=$true,
                   ValueFromPipelineByPropertyName=$true,
                   ValueFromRemainingArguments=$false,
                   Position=0,
                   ParameterSetName='Script name')]
        [ValidateNotNull()]
        [ValidateNotNullOrEmpty()]
        [Alias()]
        $scriptname,

        # Description d’aide param2
        $cert=(GCI cert:currentuser\my\ -CodeSigningCert)[0],
       
        # Description d’aide param3
        $TimeStampingServer="http://timestamp.comodoca.com/authenticode"
    )

    Process
    {
    Set-AuthenticodeSignature $scriptname $cert -TimestampServer $TimeStampingServer
    }
 }

#---------------------------------------------------------------------------------
#End copy above this line

Windows 10 tweak

This is a small list of tweak I do into windows 10 gathered from different source on the internet.

1- Add the "run as different user" context choice to start menu item...

Add this registry entry

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer]
"ShowRunAsDifferentUserInStart"=dword:00000001

2- On desktop disable Hibernation:

 CMD -> run as admin -> powercfg -h off

3- Add "notepad as admin" to send to menu

4- Add the "my pc" icon on the desktop:
 Open the settings app -> click personalization -> click theme -> click desktop icon settings

5- Change the default behavior when opening windows explorer to default to "My PC" :
 Open windows explorer ->  click on view -> option -> change folder and search option -> in the top left of the general view under "open file explorer to" select "This PC"

6 - in windows 10 creator update you can remove the "maintenance center" from the tray icon:
  Open the settings app -> click personalization -> Choose "taskbar" from the left -> scroll down to "activate or deactivate system icon" -> turn off the "maintenance center" icon and any other icon you no longer want in the system tray.

Send to notepad as Admin

As we decided to now enable UAC back on all our computer I was finding it annoying when editing file in UAC protected folder I was searching for a solution and found this old blog post by nickstugr:


Send-to-notepad-as-admin - Posted on December 14, 2012

 

1-      Type “shell:sendto” into an explorer address bar.

2-      Create a new shortcut to notepad in this folder pointing at “%windir%\system32\notepad.exe” (or your editor of choice)

3-      Call this shortcut “Notepad as Admin”

4-      Once created, go into the shortcuts properties, go to the shortcut tab, click advanced… and tick “Run as administrator”

Now when you want to edit a file that your non-elevated user cannot edit, right click the file, choose send to, choose Notepad as Admin and UAC will kick in and elevate for you!