Execution Policy In PowerShell
Hello Everyone
Welcome to CloudAffaire and this is Debjeet.
In the last blog post, we have discussed functions in PowerShell.
https://cloudaffaire.com/array-and-hash-tables-in-powershell/
In this blog post, we will discuss the execution policy in PowerShell. Execution policy enables PowerShell to restrict auto-execution of malicious scripts or configuration. There are different types of execution policies available in PowerShell and they can be applied at different levels. By default, in windows client systems the execution policy is set to “Restricted” and on windows server its set to “RemoteSigned”. In non-windows systems, the execution policy is set to “Unrestricted” and cannot be changed.
You can get or set execution policy on a system using Get-ExecutionPolicy and Set-ExecutionPolicy cmdlets. Execution policy can be bypassed for a script using Unblock-File cmdlet. Execution policy configuration for systems or users is stored in the registry and execution policy for the session is stored in memory. PowerShell also supports the windows group policy.
Note: Execution policy is not a security feature and can be easily bypassed. Its only purpose is to restrict auto-execution of some malicious script.
Types Of Execution Policy In PowerShell:
There are different types of execution policy depending upon the varying level of restriction. Some execution policy restricts execution of any type of scripts or configurations and some allow all. Below is the list and features of each type of execution policy available in PowerShell.
- AllSigned: AllSigned execution policy allows the execution of scripts and configurations, provided they are signed by a trusted publisher. This includes a script written is the local system. You will get a prompt if the publisher is not classified as trusted or untrusted.
- Bypass: Bypass execution policy allows the execution of any scripts and configuration without any warning or prompts. This basically bypasses the execution policy.
- Default: Default execution policy sets the default execution policy according to OS type. For windows client, it’s the execution policy to Restricted and for windows server, it sets the execution policy to RemoteSigned.
- RemoteSigned: RemoteSigned execution policy allows the execution of scripts created in the local system. The scripts downloaded from the internet or copied from other sources are restricted from execution if not signed by a trusted publisher. This is the default execution policy for windows servers.
- Restricted: Restricted execution policy restricts the execution of any scripts or configurations. You can however execute a command in the PowerShell. This is the default execution policy for windows clients. You will get a message “Error execution of scripts is disabled on this system” if you try to execute any scripts in this execution mode.
- Undefined: No execution policy is currently set in the current scope. If the execution policy for all scope is undefined the effective execution policy will be default execution policy.
- Unrestricted: Unrestricted execution policy allows the execution of all types of scripts without any restriction. You will receive a warning message if you try to execute any script not created locally. This is the default execution policy for non-windows os.
Scope Of Execution Policy In PowerShell:
The scope of the execution policy can be set at different levels. You can define the scope to the entire system level affecting all users and all sessions or at individual session-level effecting only that session. Below is the different level of scopes available in PowerShell for execution policy
- MachinePolicy: MachinePolicy can be set using group policy and affects all users in the system.
- UserPolicy: UserPolicy is also set by group policy and effects individual users.
- Process: Process policy is for the current session and is set in environment variable $env:PSExecutionPolicyPreference, rather than the registry. When the session terminates the policy gets revoked.
- CurrentUser: CurrentUser affects all sessions of the current users and is saved in the registry.
- LocalMachine: LocalMachine effects all users in the current system and is saved in the registry.
Precedence Of Execution Policy In PowerShell:
When determining the effective execution policy for a session, PowerShell evaluates the execution policies in the following precedence order:
- Group Policy: MachinePolicy
- Group Policy: UserPolicy
- Execution Policy: Process (or pwsh.exe -ExecutionPolicy)
- Execution Policy: CurrentUser
- Execution Policy: LocalMachine
Execution Policy In PowerShell:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 |
################################### ## PowerShell | Execution Policy ## ################################### ## PowerShell Latest Version (5) ## get effective execution policy current PowerShell session Get-ExecutionPolicy ## get all execution policy that effects current PowerShell session Get-ExecutionPolicy -List ## get execution policy for specific scope Get-ExecutionPolicy -Scope Process $env:PSExecutionPolicyPreference Get-ExecutionPolicy -Scope LocalMachine ## set execution policy (requires administrative privilages) ## open a new powershell session by run as administrator Set-ExecutionPolicy -ExecutionPolicy Restricted -Force Get-ExecutionPolicy -List ## Scope ExecutionPolicy ## ----- --------------- ## MachinePolicy Undefined ## UserPolicy Undefined ## Process Restricted ## CurrentUser Undefined ## LocalMachine Restricted ## set execution policy for a particular scope Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Force -Scope CurrentUser Get-ExecutionPolicy -List ## Scope ExecutionPolicy ## ----- --------------- ## MachinePolicy Undefined ## UserPolicy Undefined ## Process Restricted ## CurrentUser Unrestricted ## LocalMachine Restricted ## unset execution policy Set-ExecutionPolicy -ExecutionPolicy Undefined -Force -Scope CurrentUser Set-ExecutionPolicy -ExecutionPolicy Undefined -Force -Scope LocalMachine Get-ExecutionPolicy -List ## Scope ExecutionPolicy ## ----- --------------- ## MachinePolicy Undefined ## UserPolicy Undefined ## Process Restricted ## CurrentUser Undefined ## LocalMachine Undefined ## launch a new powershell session in unrestricted mode powershell -ExecutionPolicy Unrestricted $env:PSExecutionPolicyPreference Get-ExecutionPolicy -List ## Scope ExecutionPolicy ## ----- --------------- ## MachinePolicy Undefined ## UserPolicy Undefined ## Process Unrestricted ## CurrentUser Undefined ## LocalMachine Undefined exit ## exit current powershell session ## bypass execution policy ## create a script Write-Output 'Write-Host "Hello World"; exit' > myscript.ps1 ## execute the script ./myscript.ps1 ## returns cannot be loaded because running scripts is disabled on this system error powershell -ExecutionPolicy Bypass -File ./myscript.ps1 ## path may change, give full path to the script if required ## returns "hello world" |
Hope you have enjoyed this article. In the next blog post, we will discuss cmdlets in PowerShell.
To get more details on PowerShell, kindly follow below official documentation