Powershell Start-Process Differences
-
@gjacobse said in Powershell Start-Process Differences:
Any of the simple Powershell scripts I have written have been flagged and an alert generated by the 3rd party external monitor (epic nuclear eye roll) as being suspicious,...
No surprise there - most users never run scripts.
-
How big is the organization? Have you talked to others in IT about what's acceptable and what isn't?
It sounds like you need the ability to write powershell scripts. Why not bring it up to your manager and other teams if need be?
-
@irj said in Powershell Start-Process Differences:
How big is the organization? Have you talked to others in IT about what's acceptable and what isn't?
It sounds like you need the ability to write powershell scripts. Why not bring it up to your manager and other teams if need be?
It's been a (sore) subject since I started... Having worked with @EddieJennings and @Dashrender on some scripts and the goal of moving to PS over MS Batch.. I wanted to do more..
But between Execution Policy and such, it's pretty much trying to pour water through a wall... just not going to happen due to security (reasons). We are a clinic - so security is of course important. But the State dealt with PHI and such as well and the Policy was permitted.... sigh
-
@gjacobse said in Powershell Start-Process Differences:
@irj said in Powershell Start-Process Differences:
How big is the organization? Have you talked to others in IT about what's acceptable and what isn't?
It sounds like you need the ability to write powershell scripts. Why not bring it up to your manager and other teams if need be?
It's been a (sore) subject since I started... Having worked with @EddieJennings and @Dashrender on some scripts and the goal of moving to PS over MS Batch.. I wanted to do more..
But between Execution Policy and such, it's pretty much trying to pour water through a wall... just not going to happen due to security (reasons). We are a clinic - so security is of course important. But the State dealt with PHI and such as well and the Policy was permitted.... sigh
I don't suppose being cheeky and calling powershell commands from a batch file works differently? I'd assume not, but might be worth a try.
Someone at state has things a little backwards if they're allowing cmd bat files but not powershell ps1 scripts!
Just because I don't like powershell, doesn't mean it's not more useful than cmd.
-
@travisdh1 said in Powershell Start-Process Differences:
@gjacobse said in Powershell Start-Process Differences:
@irj said in Powershell Start-Process Differences:
How big is the organization? Have you talked to others in IT about what's acceptable and what isn't?
It sounds like you need the ability to write powershell scripts. Why not bring it up to your manager and other teams if need be?
It's been a (sore) subject since I started... Having worked with @EddieJennings and @Dashrender on some scripts and the goal of moving to PS over MS Batch.. I wanted to do more..
But between Execution Policy and such, it's pretty much trying to pour water through a wall... just not going to happen due to security (reasons). We are a clinic - so security is of course important. But the State dealt with PHI and such as well and the Policy was permitted.... sigh
I don't suppose being cheeky and calling powershell commands from a batch file works differently? I'd assume not, but might be worth a try.
Someone at state has things a little backwards if they're allowing cmd bat files but not powershell ps1 scripts!
Just because I don't like powershell, doesn't mean it's not more useful than cmd.
LOL - Yea,.. Busted. That was the first script I had that was 'caught'. All it did was map a drive, start bitlocker and export the key. (over the seriously lame ass manual process they had been doing).
-
@gjacobse said in Powershell Start-Process Differences:
@irj said in Powershell Start-Process Differences:
How big is the organization? Have you talked to others in IT about what's acceptable and what isn't?
It sounds like you need the ability to write powershell scripts. Why not bring it up to your manager and other teams if need be?
It's been a (sore) subject since I started... Having worked with @EddieJennings and @Dashrender on some scripts and the goal of moving to PS over MS Batch.. I wanted to do more..
But between Execution Policy and such, it's pretty much trying to pour water through a wall... just not going to happen due to security (reasons). We are a clinic - so security is of course important. But the State dealt with PHI and such as well and the Policy was permitted.... sigh
I honestly have no clue what your last paragraph means. PHI requirements are actually very lax, and there's nothing about restricting powershell or remote scripting in HIPAA.
From a security point, what's the difference between batch and PS? You can remotely take over either way?
Have you gave any recommendations on how to use powershell in a secure way? You could ask for a bastion host to that's only purpose is to send out PS scripts and block internet access on it.
There's a ton of things that you can actually do while being security minded that your coworkers cannot reasonably refute.
I've been told NO more than 10 times before and it doesn't stop me from continuing to bring a topic up when I know I'm right. Have some confidence and bring it up to management and force them to give you a written answer to why they cannot do it. Then when their written answer makes no sense, call them out on it. You've been in mangolassi long enough to know how to argue
-
@irj said in Powershell Start-Process Differences:
You've been in mangolassi long enough to know how to argue
Hard to believe you have all put up with me for that long! Especially Jared and Scott -
-
@irj said in Powershell Start-Process Differences:
From a security point, what's the difference between batch and PS? You can remotely take over either way?
Yup - not much difference - that than I can work a batch file faster than a PS file... Which..... isn't saying much. You can do quite a bit in batch,.. but so much more in PS. I may be able to do one percent of either -
-
@irj said in Powershell Start-Process Differences:
Have you gave any recommendations on how to use powershell in a secure way? You could ask for a bastion host to that's only purpose is to send out PS scripts and block internet access on it.
Since I'm the new guy.. they don't hear but so well.. maybe in time. And I do bring it up from time to time..
-
@gjacobse said in Powershell Start-Process Differences:
@irj said in Powershell Start-Process Differences:
Have you gave any recommendations on how to use powershell in a secure way? You could ask for a bastion host to that's only purpose is to send out PS scripts and block internet access on it.
Since I'm the new guy.. they don't hear but so well.. maybe in time. And I do bring it up from time to time..
I think sometimes they listen to new guys more. You bring experience from other places
-
@gjacobse said in Powershell Start-Process Differences:
@irj said in Powershell Start-Process Differences:
Have you gave any recommendations on how to use powershell in a secure way? You could ask for a bastion host to that's only purpose is to send out PS scripts and block internet access on it.
Since I'm the new guy.. they don't hear but so well.. maybe in time. And I do bring it up from time to time..
frankly, often that doesn't seem to matter.
-
@irj said in Powershell Start-Process Differences:
@gjacobse said in Powershell Start-Process Differences:
@irj said in Powershell Start-Process Differences:
Have you gave any recommendations on how to use powershell in a secure way? You could ask for a bastion host to that's only purpose is to send out PS scripts and block internet access on it.
Since I'm the new guy.. they don't hear but so well.. maybe in time. And I do bring it up from time to time..
I think sometimes they listen to new guys more. You bring experience from other places
yeah, assuming the new guy is a consultant
since they are paying them huge money, why pay them if not going to listen.. but so often it seems to be the case to ignore internal resources because you just earn a salary.. it's so ridiculous!
