3

In PowerShell, is there an advantage to a restrictive execution policy besides trying to control which script files can run?

By default, PowerShell scripts are not allowed to run, but it seems like if a malicious party wants to run PowerShell script they can just bootstrap into it using a BAT file that calls PowerShell with the -ExecutionPolicy parameter set to "bypass".

Am I missing something, or does this defeat the execution policy mechanism? Why sign scripts (which looks like quite a hassle) when you can just make the execution policy less restrictive?

Below is a BAT script I wrote that creates an unsigned .ps1 file and runs it. It works on a machine with the execution policy of Restricted, which should disallow scripts. UAC is on and no elevation prompt is shown. It even dials out to the Internet and gets the latest headline of the "Hey, Scripting Guy!" blog.

echo write-host "`r`nPowershell code running on $(hostname).`r`n`r`nHere's the latest headline from the 'Hey, Scripting Guy!' blog: '$(([xml](New-Object Net.WebClient).DownloadString("http://blogs.technet.com/b/heyscriptingguy/atom.aspx")).feed.entry[0].title)'.`r`n`r`nPress Enter to close.`r`n"; read-host > script.ps1
powershell -ExecutionPolicy bypass -Command .\script.ps1
Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Vimes
  • 10,577
  • 17
  • 66
  • 86

2 Answers2

1

The execution policy will prevent someone from modifying an existing script that's being run by someone else, or as an automated process (e.g. a scheduled task). From a security standpoint, using that .bat file is no different that compiling code to do the same thing into an .exe.

Also, the -ExecutionPolicy parameter doesn't work when the execution policy is set via local/group policy on the machine (per Ansgar's comment on the question).

Vimes
  • 10,577
  • 17
  • 66
  • 86
mjolinor
  • 66,130
  • 7
  • 114
  • 135
  • Ah, so the signing is more effective for integrity and authentication rather than keeping arbitrary code from running. It seems like the default execution policy of "restricted" isn't all that helpful, then. – Vimes Feb 06 '14 at 23:07
  • 2
    It's useful in large organizations where the have a local CA server and use signing certs issued to administrators designated to update scripts. It also provides something of an audit trail. The cert it was signed with will tell you who the last person that modified it was. – mjolinor Feb 06 '14 at 23:12
0

The default PowerShell execution policy of disallowing scripts is useful for little more than preventing accidental invocations of the script. It can be trivially violated, even on earlier versions of powershell which didn't have the per instance parameter, by doing the following

  • Open any script you want to run in notepad
  • Copy the contents to the clipboard
  • Paste the clipboard to an instance of powershell

Anyone who really wants to run a script can do so using this or a variety of other mechanisms. It's only really useful for preventing unintentional execution of scripts

JaredPar
  • 733,204
  • 149
  • 1,241
  • 1,454
  • Interactive code is allowed by default (or the shell itself would be disabled), but I was thinking more in terms of a malicious party who tries to execute code on someone else's machine without that person's cooperation. I guess it boils down to, why sign scripts when you can just turn off the restrictive execution policy? – Vimes Feb 06 '14 at 22:49
  • 2
    This policy and the one that doesn't automatically execute a .ps1 file when double-clicked was meant to prevent a repeat of `LOVE-LETTER-FOR-YOU.txt.ps1`. :-) But yeah, it's just a speed bump. – Keith Hill Feb 06 '14 at 22:49
  • 1
    @JohnB if malicious code is on your machine and has access to powershell they can do as they please. They may even laugh a little bit as they bypass the "security" restriction of running scripts. It's just so easy to get around. Sometimes I think it's just there to make it harder for me to deal with a new machine installation – JaredPar Feb 06 '14 at 22:52
  • @Kieth, so it sounds like tech savvy users should turn the execution policy down, and script signing is more for IT professionals deploying scripts to the non-savvy users' machines? – Vimes Feb 06 '14 at 22:52
  • Oh wait - so it sounds like nothing prevents "LOVE-LETTER-FOR-YOU.txt.bat", which has the same power as "LOVE-LETTER-FOR-YOU.txt.ps1". Hm. – Vimes Feb 06 '14 at 23:01