Can't run local scipts with "AllSigned" - Best practice?

This topic contains 3 replies, has 3 voices, and was last updated by Profile photo of Jonathan Warnken Jonathan Warnken 11 months, 3 weeks ago.

  • Author
  • #31683
    Profile photo of Jeff

    We currently have the execution policy set to "RemoteSigned" in our environment. This allows us to run PS scripts via SCCM packages, computer startup scripts, locally, etc. Our security wants to change it so that all scripts need to be signed to run. However, someone else in security mentioned they want to have the ability to run PS scripts locally on machines as there are various tools in the environment. To be exact, the concern was, "I am concerned of impact on IT staff both within and outside of IT, including my own team — would requiring signed scripts be limited to remote powershells or affect local powershell processes as well as command line and powershell interfaces? That would very likely be a showstopper." What is the best practice when security wants to require signed scripts? I cannot enable remoting (WinRM) in the environment until the execution policy is changed.

  • #31685
    Profile photo of Dave Wyatt
    Dave Wyatt

    I don't know of any way to require signed scripts in a remote session (via Invoke-Command, Enter-PSSession, etc), while not requiring signed scripts in a local PowerShell session.

    However, keep in mind that the Execution Policy is not a security barrier (unless you're setting it via GPO), because anyone can just run powershell.exe -ExecutionPolicy Bypass .

  • #31688
    Profile photo of Jeff

    Our execution policy is set via GPO. Is there a better way to do this for security while allowing only signed remote scripts? I don't like the idea of signing everything, but I would really like to use remoting in our environment. Not sure how to allow only signed scripts, but allow users to run their own local scripts unless I set a startup script or something setting the execution policy to AllSigned instead of via GPO so users can change it via -ExecutionPolicy Bypoass. That creates a hole in security though.

  • #31700
    Profile photo of Jonathan Warnken
    Jonathan Warnken

    The execution policy is not a security boundary. To quote Jeffry Snover "The reason why PowerShell has a -ExecutionPolicy BYPASS parameter is to make it absolutely clear that it isn't a security layer."
    Also see
    As a best practice ensure that everyone understands that signing a script only creates a trusted data file. A user can still do everything in a unsigned script if they have access. Most notably execute the script by:
    Typing the commands by hand
    Paste the script into their PowerShell prompt
    Call Invoke-Expression (Get-Content )
    Call PowerShell –Command (Get-Content )

    Also even with the execution policy set via gpo if the user has access to change it, it will change to the new value until group policy refreshes and enforces the gpo setting.

You must be logged in to reply to this topic.