Security

When it comes to security, you need to consider DSC as well. Not only do your configurations contain all your sensitive operational data, passwords, connection strings, and infrastructure; Desired State Configuration is also an excellent attack vector to quickly and reliably spread malware and create general mayhem.

Securing your pull server and controlling who may push configurations to your systems is one thing you can do to secure your configurations. This can be done by employing JEA, authentication policies and silos, group policies, and in other ways. The following screenshot shows why security is very important. Notice the two plaintext credentials here for a highly privileged account.

In addition to securing your pull or build server, you need to encrypt your configurations. The only way this can be accomplished is by using certificates. The pull server needs to know all of the public keys of its nodes, and each node needs its own document encryption certificate to receive encrypted data:

# Generating certificates for remote nodes
$certPath = '.DscCertificates'

# Generate the certificates to encrypt/decrypt data
$certParam = @{
    Type = 'DocumentEncryptionCertLegacyCsp'
    DnsName = 'TargetNode01'
}
$cert = New-SelfSignedCertificate @certParam

# Export private key and copy to node
$pfxPassword = Read-Host -AsSecureString
$cert | Export-PfxCertificate -FilePath "$env:tempTargetNode01.pfx" -Password $pfxPassword -Force
$thumbprint = $cert.Thumbprint

# Export the public key to a file and remove the private key
$cert | Export-Certificate -FilePath (Join-Path $certPath 'TargetNode01.cer') -Force
$cert | Remove-Item -Force

Additionally, the pull server should use SSL and needs an SSL certificate.

Of course, sourcing certificates is not enough. DSC as a framework knows nothing of your certificate infrastructure. You need to include the certificate thumbprint of the decryption certificate and the certificate file for each node in the configuration data:

# Use the certificate in your configuration by using ConfigurationData
$certFile = Get-Item .DscCertificatesTargetNode01.cer


configuration WithCredential
{
    node localhost
    {
        File authenticationNeeded
        {
            Credential = new-object pscredential('user',('pass' | convertto-securestring -asplain -force))
            SourcePath = '\contoso.comdatabaseconfigsdb01.ini'
            DestinationPath = 'C:db01.ini'
        }
    }
}

$cData = @{
    AllNodes = @(
        @{
            NodeName = 'TargetNode01'
            
            # This is necessary for the build machine to encrypt data
            CertificateFile = $certFile.FullName
        }
    )
}

WithCredential -ConfigurationData $cData
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.12.36.30