PowerShell: A note on Execution policy.

While driving up to RTP today I was listening to the PowerScritpting podcast episode 140.  Hal and Johnathan received a question about execution policy settings.  The conclusion they reached was that remote signed was a good compromise.  I would like to expand on this a bit.  The real fear with script execution is that you’ll unintentionally run code that has malicious intent buried within it.  Personally I don’t run around running code before I review and test it, but that doesn’t mean I’m safe.  As PowerShell MVP and trainer extraordinaire Don Jones has previously stated the risk is with your profile.

You see your profile is ran automatically, it is triggered by it’s mear presence.  If script execution is enabled you don’t even have to create the profile.  A co-worker could simply place one in your $PSHOME directory and powershell WILL run it.  So now that we’re in the land of malicious intent there isn’t anything you can do to stop said intent, but you can prove it wasn’t you.  This is why I have every pc in my domain set to AllSigned, but I then lower the execution policy to RemoteSigned after my profile is finished running.  This way even if someone does maliciously compromise my profile or a module I autoload there are two possible results.

  1. The hash will be broken and powershell will not only not run the modified code, but it will also aleart me to the unauthorised modification.
  2. It loads meaning someone has signed it with a valid certificate thereby leaving a forensic trace of the codes origin.

Finally, I would highlight that malicious intent isn’t always something egregious like removing all users in AD.  It’s often something simple like adding someone to a group there not authorized access to.  Before you run off snickering there is no reason to leave yourself exposed when there is a simple remedy.

First set your execution policy to AllSigned.  Then in your profile after you’ve loaded everything simply place the following line.

Now you have a best of both worlds scenario, protection for code that powershell runs automatically, and an environment more development friendly!    Admittedly there is still the potential that someone compromises a script or module that you don’t autoload, but the only remedy there would be to run AllSigned all the time… and well, if that was easy everyone would do it.

~Glenn

3 thoughts on “PowerShell: A note on Execution policy.”

  1. If you had the kind of access to a file on a box to change a profile you would also probably be able to get the computer to run a script with:
    powershell.exe -ExecutionPolicy Unrestricted pathtoscript

    The only thing execution policy can help you with is to prevent you from accidentally double clicking on a file and running its contents. For that reason, remotesigned should be enough b/c it’s more than likely that a file generated on my computer was created or put there by me, and is at least safe enough to run without jumping through hoops.

    • Again the goal here is to protect yourself. If someone has malicious intent your never going to stop them. However, in your example that script wouldn’t run under your account with your credentials. It would run under the user that executed it. The point here is that your session can be hijacked via your profile if you don’t protect it.

      “double clicking” a .ps1 opens notepad unless someones been playing with file associations.

      ~Glenn

Leave a Reply