Powershell Execution Policies

Microsoft's documentation for Powershell execution policies can be found here: 

about Execution Policies - PowerShell | Microsoft Learn

The most common scenario where you are forced to learn about execution policies is when you have a really cool Powershell script that you want to run. Perhaps that script was downloaded from somewhere (dodgy) on the Internet. You excitedly fire off the script and run into this screenshot:

Zoinks! What are these pesky execution policies and why won't they let you run your script?

Execution policies are designed to prevent users from unexpectedly running malicious Powershell scripts from the Internet or other shady sources. There are different setting with varying levels of restriction. 

However, the default execution policy for a Windows workstation is set to "Restricted'. That setting will actually prevent all Powershell scripts from running. That includes scripts you write yourself!

If you want complete freedom to run all scripts, the "Bypass" policy is for you. Bypass will let you run any and all scripts from any source, without any warning prompt.

Also consider "AllSigned" and "RemoteSigned" as happy mediums. These settings require Powershell scripts to be digitally signed before allowing execution, depending on their source in the case of RemoteSigned.

As Microsoft's documentation notes, execution policies are not really a security solution to stop malicious Powershell scripts from a threat actor. Their primary purpose is to prevent legitimate users from unintentionally running scripts without verifying their source. Any user with access to run a Powershell script can also change the execution policy; that's about as much security as hiding the house key under the doormat.

For the average computer user, "Restricted" is just fine. For environments where there is a good reason to run Powershell scripts, "AllSigned" or "RemoteSigned" might be what you are looking for. "Bypass" should only be used in specific situations; for example, the machine is a server that no human interacts with. 

How about running one script without changing the execution policy for the whole machine? Microsoft gives a good example for how to do this:


Running this command in Powershell will change the execution policy for only that session. Otherwise, you'd have to remember to change the execution policy back and forth every time you wanted to run a script. Super useful!

Comments

Post a Comment

Popular posts from this blog

Work Notes 8/3/22

 Guest WiFi Today I discovered one of our clients has only one WiFi SSID. They also provide the WiFi password to all their visitors on a convenient little business card.  What's the big deal with this? The average internal network is going to be full of juicy targets for a malicious attacker. Normally, these targets hide behind a firewall and threat actors can't access them directly. This includes domain controllers, workstations, databases, etc. But if you just give attackers access on an index card, the external network defenses are useless. Of course, we'd like to believe that only legitimate guests to the business will be invited onto the network. In reality, once a password starts to get shared, it finds its way out there. Pieces of paper with the preshared key inevitably make their way into the trash, where a determined dumpster diver will cackle with glee as they open their gift-wrapped point of entry. Companies need to follow best practices here, which starts with ...
Read more

No, I can't tell you who sent that nasty email

  I've been getting this request both at work and outside of work, so here's a PSA: If you get an anonymous email from personal (non-business email) account from any of the major email  providers and you're looking to identify the owner/sender of that email, you're mostly out of luck. No, you cannot identify the location of the sender by looking at the email headers (what a privacy  violation that would be!) Google/Microsoft/other email providers are not in the habit of releasing the identity of their users, at least as long as they want to stay in business. You could, in theory, seek legal action to compel an email provider to release such data, but that's a question for your legal counsel. :)
Read more