Otto  background

What are the 3 Main Advantages of Signing PowerShell Scripts from Automox?

And how to dodge the dangers of unsigned scripts

Connect With Us

Start now, and patch, configure, and control all your endpoints in just 15 minutes.

When PowerShell was introduced in 2006, it opened an entirely new realm of possibilities for systems administrators. Now admins could script nearly any action on a Windows machine. Not only that, they could push it out across their network using a group policy in Active Directory. Things were looking up for IT departments.

But on-premises versions of Active Directory have become increasingly deprecated for modern cloud-compatible IAMs, which cannot replicate the group policy functionality. Writing PowerShell can be daunting and time-consuming for junior employees (and more than a few senior ones as well). Moreover, PowerShell itself has become a major focus for abuse by threat actors.

To tackle these issues, Automox embarked on a multiyear effort.

Addressing PowerShell concerns in three phases

Phase 1

First, we introduced Automox Worklets. These plug-and-play IT automations allow you to schedule, set policies, and push PowerShell to your Windows endpoint far more efficiently than group policies in AD.

Phase 2

We rolled out Ask Otto, which uses a large language model (LLM) to help your team draft scripts immediately. In conjunction with Ask Otto and to promote quick updating, fixing, and remediation, we launched the Automox Worklets Catalog – a library of plug-and-play IT automations for hundreds of use cases across Windows, macOS, and Linux devices.

But here’s the cherry on top – soon we’ll unveil…

Phase 3: Worklet Signing

The ability to sign and validate PowerShell scripts was introduced to address the security concerns around PowerShell abuse. However, there was a major drawback: Managing keys securely is a major burden for most IT departments.

Now, the team at Automox will lower the barrier to this critical improvement by handling the most pernicious bits:

  • Secure key generation and storage

  • Public key distribution to your endpoints

  • Seamless signing for authorized members of your IT team

So, what are the benefits of signing PowerShell scripts from Automox?

What are the 3 major advantages of signing PowerShell scripts from Automox?

  1. Signed PowerShell paired with RemoteSigned or AllSigned execution policies can help to reduce your potential attack surface.

  2. Signing scripts offers assurance that what you wrote is what will be executed – no malicious modifications.

  3. Signed scripts as well as a well-managed RBAC can ensure the strongest possible technical control between authorization to write and authorization to execute.

Automox customers can opt-in to sign every PowerShell command sent through Automox, so they can be confident that critical endpoint management tasks like configuration updates were unchanged in transit to managed devices. This is a major advance in security for IT teams. Dual-use and fileless PowerShell scripts comprise nearly half of the critical security threats on endpoints.

What configuration work can Automox help me complete to ensure best practices?

To start, we recommend updating your PowerShell execution policy to RemoteSigned. 

This setting enforces all PowerShell scripts coming from the internet to be signed while still allowing locally created scripts to run without signature. 

Very soon, you’ll be able to use a bespoke Automox Worklet in conjunction with our script signing solution. We’ll keep you posted by updating this blog as soon as it’s available. 

Note: If you are using other PowerShell scripts in your environment, you must sign them as well or migrate them into Automox. Failing to do so may result in unexpected behaviors on your devices.

A new realm of PowerShell possibilities for today’s systems administrators

The ability to sign PowerShell scripts from Automox offers three major advantages: attack surface reduction, assurance of script integrity, and strong technical control over authorization. 

Worklet signing not only simplifies the daunting task of PowerShell scripting but also ensures that critical endpoint management tasks are secure and unchanged in transit from the Automox console to the agent. 

Secure Signing will be made available to all Automox customers shortly. It's a significant leap forward in managing the ever-present threats posed by dual-use and fileless PowerShell scripts and is right in line with our mission of helping to fortify IT departments against critical security threats on endpoints.

For more information on the advantages of PowerShell signing, watch the on-demand webinar here.

Dive deeper into this topic

loading...