John,
I'd have to disagree with your analogy. UAC does provide an actual [significant] security benefit, because it cannot simply be bypassed by a process launched as a standard (non-admin) user. There are also many other "under the hood" security features provided by UAC, such as "Integrity Levels." I recommend watching this, if you want to blow your mind: http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-2-Process-Explorer Cheers, Trevor Sullivan From: [email protected] [mailto:[email protected]] On Behalf Of John Cook Sent: Wednesday, November 6, 2013 8:12 AM To: [email protected] Subject: RE: [powershell] Argument in favor of a non-unrestricted Execution Policy? I'd liken it to the UAC in Vista, it was a well-intentioned security measure that everyone wanted to bypass. Eventually it was made more user friendly, we can only hope it goes this way in PoSh. John W. Cook Network Operations Manager Partnership For Strong Families 5950 NW 1st Place Gainesville, Fl 32607 Office (352) 244-1610 Cell (352) 215-6944 MCSE, MCP+I, MCTS, CompTIA A+, N+, Security+ VSP4, VTSP4 From: [email protected] [mailto:[email protected]] On Behalf Of Mark Stang Sent: Wednesday, November 06, 2013 8:46 AM To: [email protected] Subject: Re: [powershell] Argument in favor of a non-unrestricted Execution Policy? Agreed. Restricted is useless. I'm sure developers are all gung ho about signing their 1000 line script masterpieces, but as a sysadmin, signing scripts is too onerous for my 10-20 line throw together scripts to solve an immediate problem. Unrestricted is the way to go. On Tue, Nov 5, 2013 at 12:26 PM, Trevor Sullivan <[email protected] <mailto:[email protected]> > wrote: Hey folks, Can anyone make a specific and compelling argument for why the PowerShell execution policy should be configured to anything *except* "unrestricted? In other words, is there any *solid* reason why one of these values should be configured instead? * RemoteSigned * AllSigned * Restricted As best I can tell, there is no apparent benefit of configuring one of the above, bulleted items, since you can simply call PowerShell.exe -ExecutionPolicy Bypass to work around it. Cheers, Trevor Sullivan ================================================ Did you know you can also post and find answers on PowerShell in the forums? http://www.myitforum.com/forums/default.asp?catApp=1 ================================================ Did you know you can also post and find answers on PowerShell in the forums? http://www.myitforum.com/forums/default.asp?catApp=1 _____ CONFIDENTIALITY STATEMENT: The information transmitted, or contained or attached to or with this Notice is intended only for the person or entity to which it is addressed and may contain Protected Health Information (PHI), confidential and/or privileged material. Any review, transmission, dissemination, or other use of, and taking any action in reliance upon this information by persons or entities other than the intended recipient without the express written consent of the sender are prohibited. This information may be protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other Federal and Florida laws. Improper or unauthorized use or disclosure of this information could result in civil and/or criminal penalties. Consider the environment. Please don't print this e-mail unless you really need to. ================================================ Did you know you can also post and find answers on PowerShell in the forums? http://www.myitforum.com/forums/default.asp?catApp=1 ================================================ Did you know you can also post and find answers on PowerShell in the forums? http://www.myitforum.com/forums/default.asp?catApp=1
