There is a section in “The DSC Book” with this title that discusses this.
- If you were to use “Basic Authentication”, what form does the “Credential” LCM Meta configuration setting look like, and what prevents users from seeing it if they were to run “Get-DscLocalConfigurationManager”?
- Is there a way to instead use “Windows Authentication” so you don’t need to pass a username and password in clear text, assuming you are using HTTP and not HTTPS? Could you instead configure the DSC NT Task Scheduler job to run as some sort of domain service account instead of “System”?
If the goal is to restrict who can request configuration, regardless of how the caller authenticates (Basic or Windows), how do you then “Authorize” only certain user? Would you simply use some form of IIS Url authorization based on AD group membership?