- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-03-2016 09:01 AM
Hello,
We are using PowerShell to run commands in a highly secure domain tier.
This requires PowerShell scripts executed by the MidServers to be run without any execution policy modifications.
However MidServer executes powershell scripts using the following command:
HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -executionpolicy unrestricted -noninteractive -nologo -noprofile -command & {& 'scripts\PowerShell\PSScript.ps1' -computer '.......' -script 'C:\Users\....AppData\Local\Temp\PowerShellScriptToRun.PS1' -useCred $false -isDiscovery $false -debug $true; exit $LASTEXITCODE}
Questions:
- Is there any way to sign PSScript.ps1 so it can conform to our customer security design?
- Is there any way to control parameters passed to PSScript.ps1 without "hacking" any mid server features?
Thank you!
Solved! Go to Solution.
- Labels:
-
Service Mapping
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-04-2016 09:00 AM
All right. After decompiling the Mid-Server code, it turns out it is as frustrating as possible:
this.fCommandParam = new ParamString("${powershell} -executionpolicy unrestricted -noninteractive -nologo -noprofile -command \"& {& ${psscript} ${computer} ${user} ${password} ${userscript} ${genericparams} ${usecred} ${isdisco} ${debug}; exit $LASTEXITCODE}\"");
Executionpolicy is hardcoded in Mid server, I would like to raise an urgent flag to ServiceNow for this, as the product becomes unusable in high security enviroments.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-04-2016 09:00 AM
All right. After decompiling the Mid-Server code, it turns out it is as frustrating as possible:
this.fCommandParam = new ParamString("${powershell} -executionpolicy unrestricted -noninteractive -nologo -noprofile -command \"& {& ${psscript} ${computer} ${user} ${password} ${userscript} ${genericparams} ${usecred} ${isdisco} ${debug}; exit $LASTEXITCODE}\"");
Executionpolicy is hardcoded in Mid server, I would like to raise an urgent flag to ServiceNow for this, as the product becomes unusable in high security enviroments.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎12-12-2016 02:00 AM
Hello Andrew,
Did you ever get further with this? We are looking at AD password reset and we have security concerns around the powershell scripts.
"enableADUserAccount -domainController $computer -username $accountName -useCred $useCred -user $user -password $password (EnableADUserAccount.txt)"
The $password is plaintext and the value can be easily outputted.
Appreciate any feedback.
Thank you.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎12-12-2016 02:06 AM
Hi Moses,
ServiceNow is now working on this feature, but it will be a future release.
In the meantime, I have developed this Microsoft.NET app, that serves as a proxy between PS & Mid Server. Lame but true.
Enjoy.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎12-12-2016 02:39 AM
Thank you for your response. I just briefly looked at the URL you sent. Are you using this proxy in production now? If you don't mind, I will like to connect and get further insight as to how you have implemented this please.
Thank you
Moses
