Using a builtin psm file

[ArieHein]

If it uses the option to load a "known" file, that file has to secured if not encrypted and heavily tested by the LCM for any anomalies.

It would be extremely easy otherwise to plant unwanted payloads using that file. Perhaps adding some UI or similar to be filled by the admin and then a file will be created, but then it doesn't have to be a psm. I dont want to see or others to see its content.

[gaelcolas]

I'm not sure. If the ntfs permission on the file are correctly set, it should be enough. The DSC resources are not encrypted on the disk, they have the same potential. Anything running via DSC is run as System or with given credentials. Maybe the best way to ensure it's done and intentionally is to configure that file via LCM metadata, and it being configured and monitored by DSC itself...?

[ArieHein]

Reason I'm commenting on this as theres already a repo on GitHub using exiting DSC infrastructure to push payloads that shouldn't be there.