Objective:
⚠️ Security Considerations
- Predefine everything: Scripts and tasks should be set up in advance by an administrator.
- Limit scope: The scheduled task can only execute a specific, signed script with strict controls.
- No arbitrary commands: Users cannot provide their own input beyond triggering the event.
🛠️ Step 1: Prepare the IP Address Change Script
This script will be executed by the scheduled task with admin rights. It should:
- Be stored securely (e.g.,
C:\Scripts\ChangeIP.ps1). - Have hardcoded or controlled inputs to avoid abuse.
Example PowerShell Script (ChangeIP.ps1)
# Define the interface name and the new IP address details
$InterfaceAlias = "Ethernet"
$NewIPAddress = "192.168.1.100"
$NewSubnetMask = "255.255.255.0"
$NewGateway = "192.168.1.1"
# Change the IP address
Try {
# Remove any existing IP addresses
Get-NetIPAddress -InterfaceAlias $InterfaceAlias -AddressFamily IPv4 | Remove-NetIPAddress -Confirm:$false
# Set new IP address
New-NetIPAddress -InterfaceAlias $InterfaceAlias -IPAddress $NewIPAddress -PrefixLength 24 -DefaultGateway $NewGateway
# Optionally set DNS servers
Set-DnsClientServerAddress -InterfaceAlias $InterfaceAlias -ServerAddresses ("8.8.8.8", "8.8.4.4")
Write-EventLog -LogName Application -Source "ChangeIPScript" -EventId 2001 -EntryType Information -Message "IP address successfully changed."
} Catch {
Write-EventLog -LogName Application -Source "ChangeIPScript" -EventId 2002 -EntryType Error -Message $_.Exception.Message
}Best Practices:
- Register
ChangeIPScriptas an Event Source if not already done. - Log actions for auditing.
- Make the script read-only for everyone but admins.
- Digitally sign the script to prevent tampering.
🛠️ Step 2: Create the Event Trigger Mechanism
The engineer will trigger an event using a simple script they’re allowed to run.
Example PowerShell Event Trigger Script (TriggerChangeIPEvent.ps1)
# This script just writes an event log entry that the scheduled task listens for.
Write-EventLog -LogName Application -Source "ChangeIPRequest" -EventId 5000 -EntryType Information -Message "Engineer requested IP change."Best Practices:
- Register
ChangeIPRequestas an Event Source if needed. - This script does not do anything dangerous. It simply triggers the event.
🛠️ Step 3: Set Up the Scheduled Task (Admin Action Required)
Now you need an elevated scheduled task that listens for Event ID 5000 and runs the IP change script.
Create Task Using Task Scheduler (GUI)
- General Tab:
– Name:ChangeIP_OnEvent
– Run whether user is logged on or not.
– Run with highest privileges.
– User account: Select an admin account.
– Disable “Allow task to be run on demand” (optional for security). - Triggers Tab:
– New Trigger → Begin the task: On an event.
– Log:Application
– Source:ChangeIPRequest
– Event ID:5000 - Actions Tab:
– Start a Program:powershell.exe
– Arguments:-ExecutionPolicy Bypass -File "C:\Scripts\ChangeIP.ps1" - Conditions/Settings Tabs:
– Configure as appropriate for security.
– Disable “Stop the task if it runs longer than…” if unnecessary.
Create Task Using PowerShell (Alternative)
$Action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument '-ExecutionPolicy Bypass -File "C:\Scripts\ChangeIP.ps1"'
$Trigger = New-ScheduledTaskTrigger -Log "Application" -Source "ChangeIPRequest" -EventId 5000
$Principal = New-ScheduledTaskPrincipal -UserId "NT AUTHORITY\SYSTEM" -RunLevel Highest
Register-ScheduledTask -TaskName "ChangeIP_OnEvent" -Action $Action -Trigger $Trigger -Principal $Principal -Description "Change IP address on EventID 5000"🛡️ Step 4: Lock Down the Environment
- Script Folder Security:
–C:\ScriptsandChangeIP.ps1should be read-only for non-admins.
– Only SYSTEM and administrators can write/modify. - Scheduled Task Protection:
– Only administrators can modify the task.
– Ensure task does not accept parameters from the triggering event. - Audit Logging:
– Enable auditing on script execution and scheduled task actions.
– Use Event Logs to track every step. - Optional:
– Sign the PowerShell script with a trusted certificate.
– Disable PowerShell for non-admins beyond the allowed trigger script.
🧪 Step 5: Test the Process
- Log in as the engineer.
- Run
TriggerChangeIPEvent.ps1(no admin required). - The event should be written to the log.
- Scheduled Task detects EventID
5000and runs the elevated IP change script. - IP address changes without the engineer having admin rights.
✅ What We’ve Achieved
- Non-admin users can request an IP change securely.
- The IP change process is fully controlled.
- There’s no way for the user to hijack the system to install rogue software because:
– They can’t edit the IP script.
– They can’t modify the scheduled task.
– They can’t inject their own commands.
📝 Recap
- Engineer triggers EventID
5000. - Event triggers a secure Scheduled Task.
- Task runs a predefined script under admin privileges.
- Security is ensured by locking down the files, tasks, and inputs.
DrayTek Vigor 2962 2.5Gb Ethernet Dual-WAN Broadband Firewall Router, 200 VPN Tunnels, 20 VLANS, QOS, Remote Management, Load Balancing
High Performance Multi-WAN Router - The Vigor 2962 makes full use of FTTP Fibre Broadband at up to 2.2Gbps throughput for single or multi-WAN configurations. With Quality of Service, Firewall and Content Filtering.
Buy Now on Amazon
NETGEAR Orbi Mesh WiFi 6 System (RBK763S) , Mesh Router & 2 Extenders , Cover Every Room, Up To 6,000 Sq Ft , Improve WiFi Speeds up to 5.4 Gbps & 75 devices , Simple App Set Up
WiFI mesh coverage of up to 6,000 sq ft and up to 75 devices, With each satellite (sold separately) you can extend the range by up to 2,000 sq ft
Buy Now on Amazon
DrayTek Vigor 2865Lax-5G Ethernet Router, WiFi 6 AX3000 Wireless and 5G Failover, Integrated 5G Modem, 5+1 GbE LAN Ports with VLANs, VDSL
VDSL and Ethernet Load Balancer - Connect the Vigor 2865 to Superfast Fibre with the integrated VDSL modem. Use the Ethernet WAN with Cable and Ultrafast FTTP. Load Balance multiple connections to boost performance.
Buy Now on Amazon
TP-Link Archer BE550 Router WiFi 7 BE9300Mbps, Tri-Band WiFi Router, 2.5G Ports,USB Port,Maximized Coverage,VPN Router, Parental Control, HomeShield Security, Private IoT Network,Easy Setup,EasyMesh
Wi-Fi 7 Routers: With powerful Wi-Fi 7 performance, lightning-fast wired connections, and brand-new design
Buy Now on Amazon
QNAP TS-253A-4G 2 Bay NAS Enclosure with 4GB RAM - Black (GDPR Compliant)
NAS and iSCSI-SAN unified storage solution for server virtualization
Buy Now on Amazon
WD 16TB My Cloud EX2 Ultra 2-bay NAS - Network Attached Storage RAID, file sync, streaming, media server, with WD Red drives
Centralised network storage: Organise your entire media collection, photos and files in one central, network location
Buy Now on Amazon
Synology DX517 5 Bay Desktop Network Attached Storage Expansion Enclosure, Black
Online volume expansion
Buy Now on Amazon
QNAP TS-431XeU-8G 4 Bay Short-depth Rackmount NAS Enclosure with 10GbE SFP+ & 8GB RAM
The short depth design is suitable for installing in smaller racks or space-constrained locations
Buy Now on Amazon
Seagate 10 TB IronWolf NAS 3.5 Inch Hard Drive ST10000VN0008 (SATA 6 Gb/s/256 MB/7200 RPM)
Model Number: ST10000VN0008
Buy Now on Amazon
QNAP TS-673A-8G 6 Bay Desktop NAS Enclosure - 8GB RAM, AMD Ryzen Quad-core 2.2 GHz Processor - with 2.5GbE connectivity & supporting PCIe expansion
8GB DDR4 RAM (2 x SODIMM slots, max. 64GB, optional ECC RAM support)
Buy Now on Amazon
Synology DS1621+ 48TB 6 Bay Desktop NAS Solution, installed with 6 x 8TB Western Digital Red Plus Drives
Accelerated Performance: 174% higher 4K random read IOPS and 76% faster sequential write speeds compared to its predecessor
Buy Now on Amazon
Synology DS1823xs+ 8 Bay NAS Desktop: High-Performance Storage Solution
Powerful Performance - Over 3,100/2,600 MB/s sequential read/write throughput and over 173,100/80,800 random read/write IOPS2 support heavier applications
Buy Now on Amazon