It isn't the right answer... Daniel Ratliff
From: [email protected] [mailto:[email protected]] On Behalf Of Daniel Ratliff Sent: Wednesday, November 06, 2013 2:14 PM To: [email protected] Subject: RE: [powershell] Argument in favor of a non-unrestricted Execution Policy? I don't think you will find any compelling reasons, but I have to agree with the seatbelt analogy. It it's the right answer but it does mitigate some risk. For anyone that shouldn't be running PowerShell scripts, they don't be able to run them without figuring this out first. Ask yourself, how many people have asked you about the 'execution policy' because they didn't set it properly? Daniel Ratliff From: [email protected]<mailto:[email protected]> [mailto:[email protected]]<mailto:[mailto:[email protected]]> On Behalf Of Trevor Sullivan Sent: Wednesday, November 06, 2013 1:20 PM To: [email protected]<mailto:[email protected]> Subject: RE: [powershell] Argument in favor of a non-unrestricted Execution Policy? Michael, How does the PowerShell script execution policy act as a seatbelt? All someone has to do, to run a PowerShell script, is bypass the execution policy. It doesn't matter what the operating system's execution policy is set to, or how it's configured. You can bypass it no matter what. That's why I'm seeking out compelling reasons to not just leave it at "unrestricted." Cheers, Trevor Sullivan From: [email protected]<mailto:[email protected]> [mailto:[email protected]]<mailto:[mailto:[email protected]]> On Behalf Of Michael B. Smith Sent: Wednesday, November 6, 2013 12:02 PM To: [email protected]<mailto:[email protected]> Subject: RE: [powershell] Argument in favor of a non-unrestricted Execution Policy? I have no desire to change someone's bias, but I favor RemoteSigned. Think of ExecutionPolicy as a seatbelt. It can help you. Oh, and if ExecutionPolicy is set via GPO, you can't override it. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Mark Stang Sent: Wednesday, November 6, 2013 8:46 AM To: [email protected]<mailto:[email protected]> Subject: Re: [powershell] Argument in favor of a non-unrestricted Execution Policy? Agreed. Restricted is useless. I'm sure developers are all gung ho about signing their 1000 line script masterpieces, but as a sysadmin, signing scripts is too onerous for my 10-20 line throw together scripts to solve an immediate problem. Unrestricted is the way to go. On Tue, Nov 5, 2013 at 12:26 PM, Trevor Sullivan <[email protected]<mailto:[email protected]>> wrote: Hey folks, Can anyone make a specific and compelling argument for why the PowerShell execution policy should be configured to anything *except* "unrestricted? In other words, is there any *solid* reason why one of these values should be configured instead? * RemoteSigned * AllSigned * Restricted As best I can tell, there is no apparent benefit of configuring one of the above, bulleted items, since you can simply call PowerShell.exe -ExecutionPolicy Bypass to work around it. Cheers, Trevor Sullivan ================================================ Did you know you can also post and find answers on PowerShell in the forums? http://www.myitforum.com/forums/default.asp?catApp=1 ================================================ Did you know you can also post and find answers on PowerShell in the forums? http://www.myitforum.com/forums/default.asp?catApp=1 ================================================ Did you know you can also post and find answers on PowerShell in the forums? http://www.myitforum.com/forums/default.asp?catApp=1 ================================================ Did you know you can also post and find answers on PowerShell in the forums? http://www.myitforum.com/forums/default.asp?catApp=1 The information transmitted is intended only for the person or entity to which it is addressed and may contain CONFIDENTIAL material. If you receive this material/information in error, please contact the sender and delete or destroy the material/information. ================================================ Did you know you can also post and find answers on PowerShell in the forums? http://www.myitforum.com/forums/default.asp?catApp=1 The information transmitted is intended only for the person or entity to which it is addressed and may contain CONFIDENTIAL material. If you receive this material/information in error, please contact the sender and delete or destroy the material/information. ================================================ Did you know you can also post and find answers on PowerShell in the forums? http://www.myitforum.com/forums/default.asp?catApp=1
