Risk Control quickly evaluates any script for hidden risks and potentially dangerous commands.
You can then quickly review the issues, and decide whether they are ok or have malicious intentions. This enables you to evaluate external scripts in a minimum of time.
Enabling and Disabling Risk Control
Risk Control is enabled by default. Any script is evaluated in real-time. The potential risk level appears as “traffic light”-style icon in the status bar.
A green icon signals no apparent risk. A yellow icon indicates medium risk, and a red icon flags risks that may be significant. When you for example use cmdlets with the verb “Get” only, you will see a green icon.
Change the verb to “Set”, and the icon turns yellow. A “Stop” verb will turn it red. Hover over the icon to learn more about the potential risk identified.
To disable risk control, click the icon, and disable “Autocheck Scripts”.
Once RiskControl detects risks, click the risk icon, and choose “Analyze Risks”. This will walk you though all risks found, and you can decide on a case-by-case basis whether the risk warning can be dismissed or not.
If you feel the code is ok, click “Dismiss”. If you want this type of command to never again be detected as risk, click “Add Risk to Whitelist”.
Click on “Next Risk” to review the next potential issue found in the current script.
Once you have reviewed all risks, you have the choice to either approve the script or add a digital signature to the script.
If you click “Approve Script”, Risk Control will display a green checkmark and store your approval in an NTFS stream. Once you ship your script to someone else, your approval gets lost.
If you click “Digitally Sign”, your approval is added to the script content in the form of a digital signature. This type of approval is permanent, and when you ship your script to someone else, the recipient has the chance to trust your signature, and auto-approve the script without the need to review and approve it again.
If you receive a script with a digital signature, ISESteroids displays the signature status in the status bar.
Click on the signature icon and choose “Show Signer Details” to find out who signed the script. If you trust the signer, choose “Trust This Certificate”. The certificate thumbprint will then placed on your trusted certificate list, and any script signed by this certificate will be auto-approved.
Note that this type of trust is independent of Windows own certificate trust. You can trust any certificate you want.
This way, even inexpensive self-signed certificates can become a valuable trust source. While anyone can create self-signed certificates, each certificate has a unique thumprint. If you know that a given certificate originates from a trusted source, by adding its thumbprint to your trusted certificate list, you tie trust to exactly this particular certificate.
Even if an attacker created another certificate with the same issuer name, the thumbprint of his certificate would still be different.
Managing Black and White Lists
RiskControl is fully configurable with black and white lists. You decide which commands are treated as potential risk, and which certificates you find trustworthy.
To manage your risk settings, click the risk icon, and choose “Settings/Manage Black/White Lists…”. This opens a dialog.
The tabs “No Risk”, “Medium Risk”, and “High Risk” determine potential threats. The RiskControl icon will show the most severe level if there are multiple matches. Any command placed into the “No Risk” group will not be treated as risk, even if it is also identified by terms in the other lists.
Each of the three tabs contains comma separated text lines that can be used as search term:
SearchTerm, TypeOfSearch, TokenType, Description
TypeOfSearch can be “Any” or “Static”:
- Any: search term can be anywhere inside text
- Static: search term must be an exact match
TokenType can be “Any” or any valid PowerShell token type:
- Any: matches any text
- Command: matches only commands
Managing Trustworthy Certificates
Any certificate you declared as trustworthy is placed on the list “Trustworthy Certificates”. Trustworthy certificates are identified by a combination of thumbprint and display name.
To revoke trust, simply remove the certificate from that list.