I understand sufficiently how the ExecutionPolicy works in PowerShell. Most of what I've seen and done is how to disable it. There's even a command-line flag to disable it (powershell -ExecutionPolicy Unrestricted
...).
So my question is why, not how. Why is this even a feature? In my experience it's more of a misfeature; the only thing it's ever done for me is to annoy me, between the time I see the "cannot be loaded because the execution of scripts is disabled on this system" error, and when I remember about that -ExecutionPolicy
flag.
Why would PowerShell have such a feature? It's like a burglar alarm with an on/off switch on the outside of the building next to the front door.
In order to change the PowerShell Execution Policy you have to start PowerShell as an administrator and run the following command Set-ExecutionPolicy -ExecutionPolicy RemoteSigned . You can also set the RemoteSigned to unrestricted, but it is discouraged by Microsoft.
To change the execution policy for LocalMachine, start PowerShell with Run as Administrator. To display the execution policies for each scope in the order of precedence, use Get-ExecutionPolicy -List . To see the effective execution policy for your PowerShell session use Get-ExecutionPolicy with no parameters.
Execution Policy Change The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose you to the security risks described in the about_Execution_Policies help topic at https:/go.microsoft.com/fwlink/? LinkID=135170.
The factors that make Microsoft PowerShell valuable to IT admins, such as remotely administering and diagnosing a PC, also make it useful to attackers. Many attackers, including ransomware threat actors, use PowerShell as a post-exploitation tool.
Back in the dark days of ActiveX, if a user really wanted to run an ActiveX control from an untrusted source they could do so. The warnings that Internet Explorer gave were there to stop users inadvertently running malicious code not to prevent that code from ever running under any situation.
Ultimately it is the user's browser, the user's computer, and they should have control over everything it does. The browser simply says 'hey, this could be bad...'
The exact same principle is at work for PowerShell's execution policy. Once PowerShell is running it has access to all resources that the user has access to.
Completely preventing a user from running a script would be impossible to administer, because if they have access to the PowerShell shell they can just run the commands within the script line by line.
As an administrator, by giving the user access to PowerShell, you are trusting the user to run PowerShell code. Whether in script form, or by sitting and hacking away at the PowerShell prompt.
The concept of an execution policy is a way to ensure where the script comes from. If a user has installed the appropriate certificate onto a machine, signed a script with it, then PowerShell will trust that script. PowerShell will trust the script, because the user trusts the certificate, because the certificate is in the users certificate store. If that user then runs a script that is believed to be trusted, but isn't signed by a trusted certificate it will warn the user that the script isn't trusted.
Once you get to the stage where an unauthorised process can run,
PowerShell.exe –ExecutionPolicy Bypass –File c:\temp\bad-script.ps1
You have already lost your machine. If the user runs this, then following the same principles that allowed that user to run malicious ActiveX code, they will be allowed to run malicious PowerShell scripts.
PowerShell will only warn that you're about to do something stupid. It can't stop a determined idiot.
This was mostly rewritten (stolen) from PowerShell’s Security Guiding Principles.
To wrap it around your analogy: Once the burglar has gotten past your electric fence, armed guards, and savage dogs, you might as well just let them press the button to turn the alarm off. It will save them ripping it off the wall and eating it.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With