Insert Remote PowerShell Scripts

From within a remote PowerShell session, a script (.PS1) can be executed from a remote computer against a target computer. Normally this would require local administrator privileges on the target computer, with little control over the scripts that are executed, or the actions that the script performs. For example:

Invoke-Command -ComputerName RemoteServer -FilePath c:\script.ps1 –Credential xxx

Privilege Management for Windows allows you to target specific PowerShell scripts remotely and assign privileges to the script without granting local administration rights to the user. Scripts can also be blocked if they are not authorized or allowed. All remote PowerShell scripts executed are fully audited for visibility.

You must use the Invoke-Command cmdlet to run remote PowerShell scripts. Privilege Management for Windows cannot target PowerShell scripts that are executed from a remote PowerShell session. Remote PowerShell scripts must be matched by either a SHA-1 File Hash, or a Publisher (if the script has been digitally signed).

Privilege Management for Windows allows you to elevate individual PowerShell scripts and commands which are executed from a remote machine. This eliminates the need for users to be logged on with an account which has local admin rights on the target computer. Instead, elevated privileges are assigned to specific commands and scripts which are defined in Application Groups, and applied via a Workstyle.

PowerShell scripts and commands can be allowed to block the use of unauthorized scripts, commands, and cmdlets. Granular auditing of all remote PowerShell activity provides an accurate audit trail of remote activity.

PowerShell definitions for scripts and commands are treated as separate application types, which allows you to differentiate between predefined scripts authorized by IT, and session based ad hoc commands.

In order to allow standard users to connect to a remote computer via Windows Remote Management, or WinRM (a privilege normally reserved for local administrator accounts), it is necessary to enable the General Rule Enable Windows Remote Management Connections. This rule grants standard users who match the Privilege Management for Windows Workstyle the ability to connect via WinRM, and can be targeted to specific users, groups of users, or computers using Workstyle filters.

  1. Select the Application Group you want to add the Remote PowerShell script to.
  2. In the right pane, select Actions > Add Application > Remote PowerShell Script.
  3. Add a Description for the Remote PowerShell Script.
  4. You need to configure the matching criteria for the PowerShell script. You can configure:
    • File Hash (SHA-1 Fingerprint) matches
    • Publisher matches
  5. Click OK. The application is added to the Application Group.

A remote PowerShell script that contains only a single line is interpreted and matched as a Remote PowerShell Command, and fails to match a PowerShell script definition. We therefore recommend that PowerShell scripts contain at least two lines of commands to ensure they are correctly matched as a script. This cannot be achieved by adding a comment to the script.

Privilege Management for Windows end user messaging includes limited support for remote PowerShell sessions; block messages can be assigned to Workstyle rules which block remote PowerShell scripts and commands. If a block message is assigned to a Workstyle which blocks a script or command, then the body message text of an assigned message is displayed in the remote console session as an error.

For more information, please see Application Definitions.