Powershell is initially disabled. Why might a cautious Admin argue to leave it disabled?

Question

Powershell by default is initially disabled, presumably for security reasons.

When I ask for it to be enabled so I can use it, the Admins are cautious to take action that may leave the server more vulnerable and as a result, it isn't enabled and I am left waiting.

Granted that Microsoft has a lousy track record for security and that leaving a feature disabled is probably in theory more secure that enabling it, but that goes with anything.

Is Powershell inherently more dangerous that it should be feared more so than any other Windows scripting language?

Answer 1

Powershell has additional security and safety features. Have a look at execution policies- http://msdn.microsoft.com/en-us/library/dd347641.aspx ( or run get-help about_execution_policies)

Scripting is a very powerful tool, but it can be misused for malicious purposes. To protect user data and the integrity of the operating system, Windows PowerShell includes several security features, among which is the execution policy.

http://msdn.microsoft.com/en-us/library/bb648601(v=vs.85).aspx

So by default you cannot double click on scripts on enter them in console to run them. And you can control if scripts can be executed and what kind of scripts at that as well.

Also, with Powershell, you will not be able to script / run commands that you otherwise have no permissions for as set by the administrator. If you cannot turn off the firewall from the GUI,say, because you don't have the necessary privileges, you cannot do it from Powershell as well.

Powershell also borrows from security best practices from elsewhere. You cannot execute a script or other executable that is not in path by just giving the script name or the exe name. You have to use something like .\script.ps1 - for it to run. This is because unlike CMD, the current directory is not in path, much like what you would see in *nix. This makes sure that any malicious script placed in the current directory cannot override built-in commands like dir and cause harmful effects.