We also set the execution policy to unrestricted. However, to add protection like the seatbelt analog Michael gave, we combine it with AppLocker. With AppLocker, PoSh scripts can only run from trusted locations from user workstations (admins have additional locations where they can develop and run scripts from too). This has worked well for us so far.
-Aakash Shah From: [email protected] [mailto:[email protected]] On Behalf Of Trevor Sullivan Sent: Wednesday, November 6, 2013 10:20 AM To: [email protected] Subject: RE: [powershell] Argument in favor of a non-unrestricted Execution Policy? Michael, How does the PowerShell script execution policy act as a seatbelt? All someone has to do, to run a PowerShell script, is bypass the execution policy. It doesn't matter what the operating system's execution policy is set to, or how it's configured. You can bypass it no matter what. That's why I'm seeking out compelling reasons to not just leave it at "unrestricted." Cheers, Trevor Sullivan From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Michael B. Smith Sent: Wednesday, November 6, 2013 12:02 PM To: [email protected]<mailto:[email protected]> Subject: RE: [powershell] Argument in favor of a non-unrestricted Execution Policy? I have no desire to change someone's bias, but I favor RemoteSigned. Think of ExecutionPolicy as a seatbelt. It can help you. Oh, and if ExecutionPolicy is set via GPO, you can't override it. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Mark Stang Sent: Wednesday, November 6, 2013 8:46 AM To: [email protected]<mailto:[email protected]> Subject: Re: [powershell] Argument in favor of a non-unrestricted Execution Policy? Agreed. Restricted is useless. I'm sure developers are all gung ho about signing their 1000 line script masterpieces, but as a sysadmin, signing scripts is too onerous for my 10-20 line throw together scripts to solve an immediate problem. Unrestricted is the way to go. On Tue, Nov 5, 2013 at 12:26 PM, Trevor Sullivan <[email protected]<mailto:[email protected]>> wrote: Hey folks, Can anyone make a specific and compelling argument for why the PowerShell execution policy should be configured to anything *except* "unrestricted? In other words, is there any *solid* reason why one of these values should be configured instead? * RemoteSigned * AllSigned * Restricted As best I can tell, there is no apparent benefit of configuring one of the above, bulleted items, since you can simply call PowerShell.exe -ExecutionPolicy Bypass to work around it. Cheers, Trevor Sullivan ================================================ Did you know you can also post and find answers on PowerShell in the forums? http://www.myitforum.com/forums/default.asp?catApp=1 ================================================ Did you know you can also post and find answers on PowerShell in the forums? http://www.myitforum.com/forums/default.asp?catApp=1 ================================================ Did you know you can also post and find answers on PowerShell in the forums? http://www.myitforum.com/forums/default.asp?catApp=1 ================================================ Did you know you can also post and find answers on PowerShell in the forums? http://www.myitforum.com/forums/default.asp?catApp=1 ================================================ Did you know you can also post and find answers on PowerShell in the forums? http://www.myitforum.com/forums/default.asp?catApp=1
