Security Model Script Analyzer Rules

[adamdriscoll]

Summary of the new feature / enhancement

We should consider adaptive script analyzer rules that should use the current cmdlet API security model to suggest fixes in case a user is attempting to use a cmdlet without specifying an app token or the -integrated flag when appropriate.

Proposed technical implementation details (optional)

No response

[JessePeden]

I think it's been mentioned before but, what about also having PSU use an internally pinned TLS cert for its internal communications so there's no need for a token or disabling the security model?

[adamdriscoll]

The apptoken is used to identify the user who is making the call and not just validating the HTTPS connection. I would think we would still need that somehow. We do have an internal security model that allows for storing the current user context and passing it along to calls within PSU. For example, if you call Invoke-PSUScript from an API or script that is authenticated by a user, we have that context and will pass it on without an app token.

The problem lies when something automated or unauthenticated makes a call. For example, an unauthenticated API cannot call Invoke-PSUScript without some sort of auth context, like an app token. Similarly, a scheduled job does not have an auth context and requires some sort of app token to define who is making the call.

Integrated mode disables these protections because it just uses the system context but can run into other problems down the line since it doesn't have an actual role. This is how v4 worked by default. Settings the security model to Permissive and then using the -Integrated flag effectively just does the v4 model as well.