I often hear from people about the security setting in PowerShell that prevents unsigned code from running. You know what I am talking about. I am talking about the ExecutionPolicy. I believe this feature is often misunderstood by us IT-Pros. This setting has a few options (taken from PowerShell help):
— Restricted: Does not load configuration files or run scripts. “Restricted” is the default execution policy.
— AllSigned: Requires that all scripts and configuration files be signed by a trusted publisher, including scripts that you write on the local computer.
— RemoteSigned: Requires that all scripts and configuration files downloaded from the Internet be signed by a trusted publisher.
— Unrestricted: Loads all configuration files and runs all scripts. If you run an unsigned script that was downloaded from the Internet, you are prompted for permission before it runs.
— Bypass: Nothing is blocked and there are no warnings or prompts.
— Undefined: Removes the currently assigned execution policy from the current scope. This parameter will not remove an execution policy that is set in a Group Policy scope.
So the question is, do you think that if you set the execution policy to AllSigned, that users will not be able to run unsigned PowerShell code?
The answer is that this setting is not meant as a security feature and this setting can be bypassed. The easiest way to bypass this, is to open your script and copy paste it into the PowerShell window. The code will run no matter what you set as execution policy. The other «bypass» method is to simply start PowerShell like this:
PowerShell –ExecutionPolicy bypass
Or if you want to shorten it:
PowerShell –EP Bypass
A great list of bypass methods can be found on Netspi’s blog: https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/
Microsoft has also explained this “feature” a little more in detail here: https://technet.microsoft.com/en-us/library/hh847748.aspx
Quote from the page:
The execution policy is not a security system that restricts user actions.
For example, users can easily circumvent a policy by typing the script
contents at the command line when they cannot run a script. Instead, the
execution policy helps users to set basic rules and prevents them from
violating them unintentionally.
So, what is the meaning with this blogpost you may ask? Well, I want all of us IT-Pros to understand that we should not rely on ExecutionPolicy in PowerShell to protect our machines from running bad scripts.
A better approach could be to implement «Just Enough Admin» http://blogs.technet.com/b/privatecloud/archive/2014/05/14/just-enough-administration-step-by-step.aspx (Also Jeffrey Snovers presentation of it: http://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/DCIM-B362 – Great video)
An other approach could be to implement AppLocker to block PowerShell from running on the client machines. And remember that PowerShell is seen more and more inside of malware and targeted attacks, so having a strategy for protection against PowerShell code is not a bad idea. 🙂