Command Line on Steroids
Anyone who is familiar with the various Microsoft Windows operating systems knows that the graphical user interface is the primary method for executing applications, accomplishing tasks and interacting with the computer. Yet, the GUI does not always lend itself to administrative tasks nor scale well to address whole networks.
Microsoft crafted PowerShell, an operating system shell, to let IT administrators interact with their Windows network and operating system using “commandlets” (cmdlets, for short), which can be executed using program logic within scripts. But many IT administrators aren’t familiar with this scripting tool, which weighs in at 1.5MB and requires installation of the .NET Framework 2.0. Vista-compatible PowerShell 2.0, currently in preproduction, is due out later this spring.
At MySpace.com, the popular social networking site, PowerShell provides developers and IT professionals with remote access to the company’s 3,000-strong Web server farm, says chief systems architect Dan Farino. MySpace.com built a custom layer of PowerShell cmdlets to push out scripts to its Web servers.
“We embed PowerShell in the internal tools that we make,” Farino explains. “If we want to make a change that affects some of our thousands of servers, we can use PowerShell to produce the list of servers very quickly and with an extremely fine degree of control. There is simply no way we could create a GUI-only interface that would allow us to choose target servers so precisely.” That type of functionality saves considerable time given the vast amount of servers under the MySpace.com domain, Farino says.
MySpace.com incorporated PowerShell into the development of its massive and distributed .NET environment and deploys it for application and administrative tasks. While the structure and syntax of PowerShell may appear to be a full-blown development language, it is intended not for developers but for IT administrators as a powerful and flexible tool for automating administrative tasks. But developers can also leverage PowerShell cmdlets from within program code to execute specific tasks.
Locked Down by Default
One security problem with earlier Windows scripting tools, such as Windows Script Host (WSH), was that an attacker could silently execute malicious scripts from within an e-mail message from the context of the current folder, or exploit vulnerable applications to let them run malicious scripts. PowerShell should protect networks from these types of attacks by requiring the full path to execute a script. And PowerShell functions interactively, meaning it will not run any scripts by default. This would make it difficult for an attacker to execute a script remotely or from within a message, even if the full path to the script was known. Users must be logged into the PowerShell interface and manually initiate each individual command in order for it to run.
Some IT administrators well versed in earlier scripting tools, such as WSH, may feel that their current solution works just fine. But in addition to improved security, PowerShell provides significantly more functionality with support for WMI objects, ADSI and .NET. The cmdlets also help administrators streamline their scripts. A task that requires several lines of code in WSH or VBScript can often be accomplished with a single line of code in PowerShell.
Do you employ scripts to automate network administration?
57% Yes
39% No
4% Don't know
If so, what scripting languages or platforms have you used to administer your network?
42% VBScript
28% Windows Script House
22% Other
5% JavaScript
3% PowerShell
Writing scripts with less typing — and in less time — is one obvious benefit. But more important, the reduced complexity makes it much less likely that users will create or encounter errors when developing scripts. And because a shorter script has a smaller
“attack surface,” it will be less prone to security vulnerabilities. Also, the commands and syntax are less abstract than the various commands users must employ to accomplish the same goals with other scripting tools.
“The predecessor to PowerShell was the roughly integrated combination of the command prompt and the VBScript scripting language. PowerShell nicely combines the best of these two worlds: It has an interactive environment like the command prompt, while allowing the admin to access the full power of the .NET framework if the need arises,” Farino explains.
“One of the things that’s great about it is that everything is named very consistently with an almost religious verb-dash-noun syntax, so once you learn how to do one thing, the rest come intuitively,” he says.
However, if you need to perform tasks across machines that include Mac, Linux, Unix or other systems, you may want to look at tools that are more heterogeneous, such as PERL or Python.
Managing Vista With PowerShell
There are more than 130 cmdlets built into PowerShell to accomplish an array of tasks and activities. Typing “get-command” at the Windows PowerShell prompt will list all of the cmdlets, along with a brief description of the syntax for using them. There are also a few tasks unique to Windows Vista that can be performed with PowerShell. For instance, you can control the functionality of User Account Controls and BitLocker and retrieve results of the Windows System Assessment Tool.
Here are two examples of how to execute PowerShell code for administrative and security tasks:
The Windows System Assessment Tool (WSAT) in Vista can assess the health of a computer system by analyzing processor speed, memory and hard-drive performance, assigning a score of 1 to 5 for each. To collect WSAT details from a group of computers (for instance, your accounting department) to determine overall system performance and what type of upgrade might yield the best result, use this cmdlet: get-wmiobject win32_winsat | format-table __SERVER, *SCORE –autosize
Windows Vista comes with built-in, whole-disk encryption, called BitLocker. To retrieve a list of encryptable drive volumes from the system information, type: $drives = get-wmiobject -namespace root\CIMv2\Security\MicrosoftVolume Encryption -class Win32_Encryptable Volume$drives | format-table DriveLetter, PersistentVolumeID -autosize$Bit LockDrive = $drives[0]$BitLockDrive.GetProtectionStatus()
You can also enable or disable BitLocker for a designated drive volume by using the following commands: $BitLockDrive.EnableKeyProtectors() $BitLockDrive.DisableKeyProtectors()
Tony Bradley, a Microsoft MVP (Most Valuable Professional) in Windows Security, is a computer security consultant with BT INS in Houston and author of Essential Computer Security.