PowerShell 技能连载 - 零信任安全架构实现

在现代网络安全中，零信任架构是一种重要的安全模型，本文将介绍如何使用 PowerShell 实现零信任安全架构的关键组件。

首先，让我们看看如何使用 PowerShell 进行设备健康状态评估：

# 创建设备健康状态评估函数
function Test-DeviceHealth {
    param(
        [string]$ComputerName = $env:COMPUTERNAME,
        [switch]$IncludeFirewall,
        [switch]$IncludeAntivirus,
        [switch]$IncludeUpdates,
        [string]$OutputPath
    )
    
    try {
        $results = @{}
        
        # 系统信息
        $systemInfo = Get-CimInstance -ComputerName $ComputerName -ClassName Win32_OperatingSystem | 
            Select-Object Caption, Version, LastBootUpTime
        $results.SystemInfo = $systemInfo
        
        # 防火墙状态
        if ($IncludeFirewall) {
            $firewallProfiles = Get-NetFirewallProfile -CimSession $ComputerName
            $results.FirewallStatus = $firewallProfiles | ForEach-Object {
                [PSCustomObject]@{
                    Profile = $_.Name
                    Enabled = $_.Enabled
                    DefaultInboundAction = $_.DefaultInboundAction
                    DefaultOutboundAction = $_.DefaultOutboundAction
                }
            }
        }
        
        # 防病毒状态
        if ($IncludeAntivirus) {
            $antivirusProducts = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct -ComputerName $ComputerName
            $results.AntivirusStatus = $antivirusProducts | ForEach-Object {
                [PSCustomObject]@{
                    Name = $_.DisplayName
                    ProductState = $_.ProductState
                    IsEnabled = ($_.ProductState -band 0x1000) -eq 0x1000
                    IsUpToDate = ($_.ProductState -band 0x10) -eq 0
                }
            }
        }
        
        # 更新状态
        if ($IncludeUpdates) {
            $session = New-CimSession -ComputerName $ComputerName
            $updates = Get-WindowsUpdate -CimSession $session
            $results.UpdateStatus = [PSCustomObject]@{
                PendingUpdatesCount = $updates.Count
                SecurityUpdatesCount = ($updates | Where-Object { $_.Categories -match "Security" }).Count
                CriticalUpdatesCount = ($updates | Where-Object { $_.MsrcSeverity -eq "Critical" }).Count
            }
        }
        
        $healthScore = 0
        $maxScore = 0
        
        # 计算健康分数
        if ($IncludeFirewall) {
            $maxScore += 10
            $enabledProfiles = ($results.FirewallStatus | Where-Object { $_.Enabled -eq $true }).Count
            $healthScore += ($enabledProfiles / 3) * 10
        }
        
        if ($IncludeAntivirus) {
            $maxScore += 10
            $avEnabled = ($results.AntivirusStatus | Where-Object { $_.IsEnabled -eq $true }).Count -gt 0
            $avUpToDate = ($results.AntivirusStatus | Where-Object { $_.IsUpToDate -eq $true }).Count -gt 0
            
            if ($avEnabled) { $healthScore += 5 }
            if ($avUpToDate) { $healthScore += 5 }
        }
        
        if ($IncludeUpdates) {
            $maxScore += 10
            $pendingUpdates = $results.UpdateStatus.PendingUpdatesCount
            $criticalUpdates = $results.UpdateStatus.CriticalUpdatesCount
            
            if ($pendingUpdates -eq 0) {
                $healthScore += 10
            } else {
                $healthScore += [Math]::Max(0, 10 - ($criticalUpdates * 2) - ($pendingUpdates * 0.5))
            }
        }
        
        $results.HealthScore = [Math]::Round(($healthScore / $maxScore) * 100)
        $results.ComplianceStatus = $results.HealthScore -ge 70
        $results.AssessmentTime = Get-Date
        
        if ($OutputPath) {
            $results | ConvertTo-Json -Depth 5 | Out-File -FilePath $OutputPath -Encoding UTF8
            Write-Host "设备健康状态已保存至：$OutputPath"
        }
        
        return [PSCustomObject]$results
    }
    catch {
        Write-Host "设备健康状态评估失败：$_"
    }
}

实现条件访问策略：

# 创建条件访问策略函数
function New-ConditionalAccessPolicy {
    param(
        [string]$PolicyName,
        [ValidateSet('AllUsers', 'SelectedUsers', 'SelectedGroups')]
        [string]$UserScope,
        [string[]]$Users,
        [string[]]$Groups,
        [string[]]$Applications,
        [ValidateSet('DeviceCompliance', 'UserRisk', 'SignInRisk', 'Location')]
        [string[]]$Conditions,
        [hashtable]$ConditionValues,
        [ValidateSet('Block', 'Grant', 'SessionControl')]
        [string]$AccessControl,
        [hashtable]$ControlSettings
    )
    
    try {
        $policy = [PSCustomObject]@{
            PolicyName = $PolicyName
            UserScope = $UserScope
            Users = $Users
            Groups = $Groups
            Applications = $Applications
            Conditions = $Conditions
            ConditionValues = $ConditionValues
            AccessControl = $AccessControl
            ControlSettings = $ControlSettings
            CreatedAt = Get-Date
            CreatedBy = $env:USERNAME
        }
        
        # 这里将连接到 Microsoft Graph API 创建实际策略
        # 下面为模拟实现
        $jsonPolicy = $policy | ConvertTo-Json -Depth 5
        Write-Host "已创建条件访问策略：$PolicyName"
        
        return $policy
    }
    catch {
        Write-Host "条件访问策略创建失败：$_"
    }
}

实现安全会话控制：

# 创建安全会话控制函数
function Set-SecureSessionControl {
    param(
        [string]$SessionId,
        [int]$SessionTimeout = 3600,
        [switch]$EnableScreenLock,
        [int]$ScreenLockTimeout = 300,
        [switch]$RestrictFileDownload,
        [switch]$RestrictClipboard,
        [switch]$EnableWatermark
    )
    
    try {
        $sessionControl = [PSCustomObject]@{
            SessionId = $SessionId
            SessionTimeout = $SessionTimeout
            EnableScreenLock = $EnableScreenLock
            ScreenLockTimeout = $ScreenLockTimeout
            RestrictFileDownload = $RestrictFileDownload
            RestrictClipboard = $RestrictClipboard
            EnableWatermark = $EnableWatermark
            AppliedAt = Get-Date
            AppliedBy = $env:USERNAME
        }
        
        # 这里将应用到实际会话
        # 下面为模拟实现
        $jsonSessionControl = $sessionControl | ConvertTo-Json
        Write-Host "已应用会话控制策略到会话：$SessionId"
        
        return $sessionControl
    }
    catch {
        Write-Host "安全会话控制应用失败：$_"
    }
}

持续监控和评估：

# 创建持续监控函数
function Start-ZeroTrustMonitoring {
    param(
        [string[]]$ComputerNames,
        [int]$Interval = 3600,
        [int]$Duration = 86400,
        [string]$OutputPath
    )
    
    try {
        $startTime = Get-Date
        $endTime = $startTime.AddSeconds($Duration)
        $monitoringResults = @()
        
        while ((Get-Date) -lt $endTime) {
            foreach ($computer in $ComputerNames) {
                $deviceHealth = Test-DeviceHealth -ComputerName $computer -IncludeFirewall -IncludeAntivirus -IncludeUpdates
                
                $monitoringResult = [PSCustomObject]@{
                    Timestamp = Get-Date
                    ComputerName = $computer
                    HealthScore = $deviceHealth.HealthScore
                    ComplianceStatus = $deviceHealth.ComplianceStatus
                    Details = $deviceHealth
                }
                
                $monitoringResults += $monitoringResult
                
                # 如果设备不合规，触发通知
                if (-not $deviceHealth.ComplianceStatus) {
                    Write-Host "设备不合规警告：$computer 的健康分数为 $($deviceHealth.HealthScore)"
                    # 这里可以添加通知逻辑，如发送电子邮件或触发警报
                }
            }
            
            if ((Get-Date).AddSeconds($Interval) -gt $endTime) {
                break
            }
            
            Start-Sleep -Seconds $Interval
        }
        
        if ($OutputPath) {
            $monitoringResults | ConvertTo-Json -Depth 5 | Out-File -FilePath $OutputPath -Encoding UTF8
            Write-Host "监控结果已保存至：$OutputPath"
        }
        
        return $monitoringResults
    }
    catch {
        Write-Host "零信任监控失败：$_"
    }
}

创建安全事件响应：

# 创建安全事件响应函数
function Invoke-ZeroTrustResponse {
    param(
        [string]$ComputerName,
        [ValidateSet('IsolateDevice', 'ForceUpdate', 'DisableAccount', 'ResetPassword', 'TerminateSession')]
        [string]$Action,
        [hashtable]$ActionParameters,
        [switch]$ForceAction
    )
    
    try {
        $responseLog = [PSCustomObject]@{
            Timestamp = Get-Date
            ComputerName = $ComputerName
            Action = $Action
            ActionParameters = $ActionParameters
            InitiatedBy = $env:USERNAME
            Status = "Initiated"
        }
        
        switch ($Action) {
            'IsolateDevice' {
                # 隔离设备网络
                if ($ForceAction) {
                    $isolationRule = "Block All Inbound and Outbound"
                } else {
                    $isolationRule = "Block All Inbound, Allow Outbound to Management"
                }
                
                # 这里添加实际隔离逻辑
                $responseLog.Status = "Completed"
                $responseLog.Details = "Device isolated with rule: $isolationRule"
            }
            'ForceUpdate' {
                # 强制更新设备
                $session = New-CimSession -ComputerName $ComputerName
                Install-WindowsUpdate -CimSession $session -AcceptAll -AutoReboot
                
                $responseLog.Status = "Completed"
                $responseLog.Details = "Updates initiated, reboot may be required"
            }
            'DisableAccount' {
                # 禁用用户账户
                $username = $ActionParameters.Username
                if (-not $username) {
                    throw "Username required for DisableAccount action"
                }
                
                Disable-LocalUser -Name $username -ComputerName $ComputerName
                
                $responseLog.Status = "Completed"
                $responseLog.Details = "Account $username disabled"
            }
            'ResetPassword' {
                # 重置用户密码
                $username = $ActionParameters.Username
                if (-not $username) {
                    throw "Username required for ResetPassword action"
                }
                
                $newPassword = [System.Web.Security.Membership]::GeneratePassword(16, 4)
                $securePassword = ConvertTo-SecureString -String $newPassword -AsPlainText -Force
                
                Set-LocalUser -Name $username -Password $securePassword -ComputerName $ComputerName
                
                $responseLog.Status = "Completed"
                $responseLog.Details = "Password reset for $username"
            }
            'TerminateSession' {
                # 终止用户会话
                $sessionId = $ActionParameters.SessionId
                if (-not $sessionId) {
                    throw "SessionId required for TerminateSession action"
                }
                
                # 这里添加终止会话逻辑
                $responseLog.Status = "Completed"
                $responseLog.Details = "Session $sessionId terminated"
            }
        }
        
        return $responseLog
    }
    catch {
        Write-Host "零信任响应操作失败：$_"
        return [PSCustomObject]@{
            Timestamp = Get-Date
            ComputerName = $ComputerName
            Action = $Action
            Status = "Failed"
            Error = $_.ToString()
        }
    }
}

这些脚本将帮助您实现零信任安全架构的关键组件。记住，零信任是一种安全模型，而不仅仅是一组技术工具。在实施这些技术时，建议与组织的安全策略结合，并确保遵循”最小权限原则”和”默认拒绝”的理念。同时，完整的零信任架构还需要结合其他安全技术，如多因素认证和微分段。