Insert Remote PowerShell Scripts

From within a remote PowerShell session, a script (.PS1) can be executed from a remote computer against a target computer. Normally this requires local administrator privileges on the target computer, with little control over the scripts that are executed, or the actions that the script performs.

Invoke-Command -ComputerName RemoteServer -FilePath c:\script.ps1 –Credential xxx

Endpoint Privilege Management for Windows allows you to target specific PowerShell scripts remotely and assign privileges to the script without granting local administration rights to the user. Scripts can also be blocked if they are not authorized or allowed. All remote PowerShell scripts executed are fully audited for visibility.

You must use the Invoke-Command cmdlet to run remote PowerShell scripts. Endpoint Privilege Management for Windows cannot target PowerShell scripts that are executed from a remote PowerShell session. Remote PowerShell scripts must be matched by either a SHA-1 File Hash or a Publisher (if the script has been digitally signed).

Endpoint Privilege Management for Windows allows you to elevate individual PowerShell scripts and commands which are executed from a remote machine. This eliminates the need for users to be logged on with an account which has local admin rights on the target computer. Instead, elevated privileges are assigned to specific commands and scripts which are defined in Application Groups, and applied by a Workstyle.

PowerShell scripts and commands can be allowed to block the use of unauthorized scripts, commands, and cmdlets. Granular auditing of all remote PowerShell activity provides an accurate audit trail of remote activity.

PowerShell definitions for scripts and commands are treated as separate application types, which allows you to differentiate between predefined scripts authorized by IT, and session-based ad hoc commands.

To allow standard users to connect to a remote computer with Windows Remote Management, or WinRM (a privilege normally reserved for local administrator accounts), it is necessary to enable the General Rule Enable Windows Remote Management Connections. This rule grants standard users who match the Endpoint Privilege Management for Windows Workstyle the ability to connect using WinRM, and can be targeted to specific users, groups of users, or computers using Workstyle filters.

1. Select the Application Group you want to add the Remote PowerShell script to.
2. Right-click and select Insert Application > Remote PowerShell Script.
3. You can leave the Select reference script file blank to match on all applications of this files, type in a specific name or path manually, or click Browse File.
4. Enter a description, if required. By default, this is the name of the application you're inserting.
5. You need to configure the matching criteria for the PowerShell script. You can configure:
   • File Hash (SHA-1 Fingerprint) matches
   • File Hash (SHA-256) matches
   • Publisher matches
6. Click OK. The application is added to the Application Group.

Remote PowerShell scripts that contain only a single line are interpreted and matched as a Remote PowerShell Command, and fail to match a PowerShell script definition. We therefore recommend PowerShell scripts contain at least two lines of commands to ensure they are correctly matched as a script. This cannot be achieved by adding a comment to the script.

Messaging

Endpoint Privilege Management for Windows end user messaging includes limited support for remote PowerShell sessions; block messages can be assigned to Workstyle rules which block remote PowerShell scripts and commands. If a block message is assigned to a Workstyle which blocks a script or command, then the body message text of an assigned message is displayed in the remote console session as an error.