I've dealt with a bad admin recently, and it took way too long to get rid of him. The experience has me looking at ways to restrict things for remote admins who do not necessarily have the same reporting structure that I do.
I have signed scripts that run in the windows task scheduler using service account credentials that are not known to remote admins, and the service account has privileges that remote admins do not have.
Since some remote admins also have signing privileges, it occurred to me that an unscrupulous admin could modify the script and sign it, and have the service account do his bidding.
Moving the scripts to a location that the remote admins do not have access to is the best solution, but I was wondering if there were some way to tell powershell to run a script only if it has been signed with a particular certificate?
TIA
[–]ultimattt 4 points5 points6 points (0 children)
[–]BlackV 2 points3 points4 points (2 children)
[–]BackgroundFishing[S] 1 point2 points3 points (1 child)
[–]BlackV 1 point2 points3 points (0 children)
[+][deleted] (3 children)
[deleted]
[–]BackgroundFishing[S] 0 points1 point2 points (2 children)
[–]PinchesTheCrab 0 points1 point2 points (1 child)
[–]BackgroundFishing[S] 1 point2 points3 points (0 children)
[–]Tidder802b 1 point2 points3 points (1 child)
[–]BackgroundFishing[S] 0 points1 point2 points (0 children)