While driving up to RTP today I was listening to the PowerScritpting podcast episode 140. Hal and Johnathan received a question about execution policy settings. The conclusion they reached was that remote signed was a good compromise. I would like to expand on this a bit. The real fear with script execution is that you’ll unintentionally run code that has malicious intent buried within it. Personally I don’t run around running code before I review and test it, but that doesn’t mean I’m safe. As PowerShell MVP and trainer extraordinaire Don Jones has previously stated the risk is with your profile.
You see your profile is ran automatically, it is triggered by it’s mear presence. If script execution is enabled you don’t even have to create the profile. A co-worker could simply place one in your $PSHOME directory and powershell WILL run it. So now that we’re in the land of malicious intent there isn’t anything you can do to stop said intent, but you can prove it wasn’t you. This is why I have every pc in my domain set to AllSigned, but I then lower the execution policy to RemoteSigned after my profile is finished running. This way even if someone does maliciously compromise my profile or a module I autoload there are two possible results.
- The hash will be broken and powershell will not only not run the modified code, but it will also aleart me to the unauthorised modification.
- It loads meaning someone has signed it with a valid certificate thereby leaving a forensic trace of the codes origin.
Finally, I would highlight that malicious intent isn’t always something egregious like removing all users in AD. It’s often something simple like adding someone to a group there not authorized access to. Before you run off snickering there is no reason to leave yourself exposed when there is a simple remedy.
First set your execution policy to AllSigned. Then in your profile after you’ve loaded everything simply place the following line.
<span style="color: #0000ff;">Set-ExecutionPolicy</span> <span style="color: #000080;">-ExecutionPolicy</span> <span style="color: #8a2be2;">RemoteSigned</span> <span style="color: #000080;">-Scope</span> <span style="color: #8a2be2;">Process</span>
Now you have a best of both worlds scenario, protection for code that powershell runs automatically, and an environment more development friendly! Admittedly there is still the potential that someone compromises a script or module that you don’t autoload, but the only remedy there would be to run AllSigned all the time… and well, if that was easy everyone would do it.