A multitude of scripts are employed in a scheduled manner to carry out diverse actions on an Active Directory (AD) server. These scripts serve various purposes, such as the generation of signatures or the exportation of user information for utilization in other applications or systems. By scheduling these scripts to run at specific intervals, organizations can streamline their operations, automate repetitive tasks, and ensure the seamless functioning of their AD environment. Whether it’s the regular creation of personalized signatures for email communications or the extraction of user data to facilitate integration with external systems, these scheduled scripts play a vital role in enhancing productivity and efficiency within an AD server setup.
If the scripts designed for actions on an Active Directory (AD) server are flawed, it could lead to severe consequences. A broken script might result in essential tasks not being executed correctly or even cause undesired changes within the AD system. This could lead to data loss, malfunctions in other applications, or even security risks.
To prevent adverse outcomes, an additional measure is taken. The scheduled task includes a hash verification step, allowing the script to run only if the hash matches the expected value. This ensures script integrity, reduces the risk of executing flawed or malicious scripts, and enhances the security of the AD server environment.
Generate a PowerShell Script and get Hash-Value
First you need a PowerShell Script which suits your needs. As an example I have a Script which opens some websites in the Browser
OpenBrowserTabs
function OpenBrowserTabs{
$url1 = "https://www.microsoft.com"
Start-Process microsoft-edge:$url1
}
Now get the Hash-Value from the generated Script
Get-FileHash C:\%FOLDERPATH%\Testscript.ps1 -Algorithm SHA256This returns the Hash Value in a SHA256 Value which should have a format like this:
46E964053580BAE75C0B39D95D120545B489C5A6B6F7754A0919EE8C5C7AA9EB
Generate Task
Open the TaskScheduler via WindowsSearch or Win+R and taskschd.msc.
Create a Task, provide the necessary Info and add the Trigger you want.
In the Action Panel we add a New Action
- Action: Start a Program
- Program/Script: powershell.exe
- Add Arguments (optional):
-Command "if ((Get-FileHash -Path 'C:\%FOLDERPATH%\Testscript.ps1').Hash -eq '%YOURHASHVALUE%') { & 'C:\%FOLDERPATH%\Testscript.ps1' }Save the Task and you have successfully secured the Task.
A thing to mention
In this particular context, the term „secure“ does not imply encryption or rights management. Rather, it signifies the addition of an extra layer of safety to prevent inadvertent modifications to the script. This precautionary measure aims to ensure that the script remains unchanged and reliable, reducing the risk of accidental alterations that may lead to subsequent task failures. To achieve this, it is necessary for someone to consciously update the „Add Arguments“ field in the Task Scheduler, thereby reinforcing the intentional implementation of the security measure.