What are PowerShell Execution Policies?

PowerShell Execution Policies

With its immense power and versatility, PowerShell has become a modern Windows administration, scripting, and automation standard. Developed by Microsoft, it is a powerful automation and configuration tool/framework that integrates seamlessly with other Microsoft technologies.

However, this power also brings potential risks, and to mitigate them, PowerShell introduces execution policies—a set of rules that determine the conditions under which PowerShell scripts can run. 

This blog will explain everything about PowerShell execution policies, their significance, and their different types. Let’s begin!

What are PowerShell Execution Policies?

PowerShell execution policies can be defined as safeguard mechanisms determining whether PowerShell scripts can be executed and, if so, under what conditions.

These policies prevent the execution of malicious scripts that can only be executed on the Windows platform.

Here are the types of PowerShell execution policies.

AllSigned:

  • PowerShell scripts can only run with this policy if a trusted publisher signs them. This ultimately ensures that only scripts from legitimate sources are permitted to run.
  • Also, it prompts a confirmation before running scripts from publishers.

Bypass:

  • In this policy, no warnings or prompts are given, which means nothing is blocked.
  • It is specially designed for those configurations in which the PowerShell script is built into a more extensive application or is the foundation for a program with its security model.
  • This policy must be used with extra caution. It can permit the execution of unsigned and unverified scripts because nothing is blocked.

Default:

  • It sets the default execution policy, Restricted for Windows clients and RemoteSigned for Windows servers.

RemoteSigned:

  • RemoteSigned is the default execution policy for Windows server computers.
  • This policy requires that scripts and configuration files downloaded online are digitally signed. On the other hand, scripts written on the local computer or not downloaded do not require a digital signature.

Restricted:

  • It is the default execution policy for Windows client computers that allows individual commands but does not permit scripts.

Undefined:

  • Undefined policy is used when no execution policy is set in the current scope.
  • If Undefined is the execution policy in all scopes, the effective execution policy is Restricted for Windows clients and RemoteSigned for Windows Server.

Unrestricted:

  • Unrestricted is the default execution policy for non-Windows computers that can not be changed.
  • It grants unrestricted script execution but also warns about the significant security risks.

Recommended: How to Sign Digitally PowerShell Script With a Code Signing?

PowerShell Execution Policies Scope

To establish a secure scripting environment, managing PowerShell execution policies is vital.

Here are the valid values for Scope when setting an execution policy.

  • MachinePolicy: This scope is set by a Group Policy for all computer users.
  • UserPolicy: This scope is set by a Group Policy for the current computer user. 
  • Process: It only affects the current PowerShell session, and the execution policy is saved in the environment variable $env:PSExecutionPolicyPreference; instead, registry. Once the PowerShell session is closed, the variable and value are also deleted.
  • CurrentUser: It affects only the current user and is stored in the HKEY_CURRENT_USER registry subkey.
  • LocalMachine: It affects all the users and is stored in the HKEY_LOCAL_MACHINE registry subkey.

How to Manage the Execution Policy?

Use the Get-ExecutionPolicy cmdlet

If you want to get the effective execution policy for the current PowerShell session.

If you want to see all the execution policies affecting the current session in precedence order, execute the following command.

Get-ExecutionPolicy -List

The final result will be something like this but can vary according to the respective session.

Scope ExecutionPolicy

        —– —————

MachinePolicy       Undefined

   UserPolicy       Undefined

      Process       Undefined

  CurrentUser    RemoteSigned

 LocalMachine       AllSigned

How to Change the Execution Policy?

Use the Set-ExecutionPolicy cmdlet to change the execution policy. This change takes effect immediately, without the need to restart PowerShell. Let’s explore the steps:

  1. Use the Set-ExecutionPolicy cmdlet followed by the desired policy name. For instance: Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
  • Specify the scope of the execution policy using the -Scope parameter. Set-ExecutionPolicy -ExecutionPolicy <PolicyName> -Scope <scope>

For instance, Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser. Here, the scope is “Current User.”

Important: Understanding the policy scope is vital to determine the policy change’s longevity. For example, policies set for the Process scope are temporary and last only until the current PowerShell session ends.

Recommended: How to Sign the PowerShell Script with YubiKey?

How to Set a Different Policy for One Session?

You can set an execution policy for a new PowerShell session through the ExecutionPolicy parameter of pwsh.exe.

To do this, start PowerShell at the command line and set the execution policy using the ExecutionPolicy parameter of pwsh.exe.

For instance, pwsh.exe -ExecutionPolicy AllSigned

The execution policy is stored in the $env: PSExecutionPolicyPreference environment variable instead of in the registry. As soon as the secession is closed, the variable is deleted, and the execution policy reverts to its previous state.

Also, it is worth remembering that the execution policy set for the session takes precedence over the one that is registered for the current user or local computer. But, yes! It doesn’t take precedence over the policies enforced through Group Policy.

How to Remove the Execution Policy?

To remove the execution policy for a specific scope, you can set the policy to Undefined.

For instance, to remove the execution policy that applies to all users of the local computer, use the following command: Set-ExecutionPolicy -ExecutionPolicy Undefined -Scope LocalMachine

When no execution policy is defined in any scope, PowerShell defaults to the Restricted policy. 

PowerShell Execution Policies Best Practices

Here are some of the best practices for managing PowerShell execution policies. 

Use Secure Strings for Sensitive Data

In the scripts, use the secure string cmdlet ConvertTo-SecureString when storing sensitive data, such as passwords and other sensitive information. The strings provide an extra layer of security as they are encrypted with the Windows Data Protection API.

Update PowerShell Regularly

Software updates are vital to keeping the system running smoothly. The same applies to PowerShell, i.e., the PowerShell environment needs to be up-to-date regularly. Updates include security enhancements and patches that are vital to address security vulnerabilities.

Limit Access to the PowerShell Console

Limiting access to the PowerShell Console because you never know what trick hackers will use next! To do this, role-based access control (RBAC) should be used to limit the number of individuals who can run PowerShell commands.

Use Just Enough Administration (JEA)

It is a PowerShell toolkit designed to delegate administrative tasks through constrained sessions. These sessions restrict user actions based on a predefined set of capabilities. The goal is to adhere to the principle of least privilege and mitigate the risks linked with administrative access.

By limiting the scope of what users can do, JEA significantly reduces the attack surface.

Avoid Running Unsigned Scripts

As mentioned above, PowerShell is a powerful scripting language that automates tasks. However, this power also comes with several disadvantages, as hackers can use it to exploit vulnerabilities in a system.

Recommended: PowerShell Code Signing Best Practices for Signing Your Script

To combat this risk, PowerShell comes with a security feature called “script signing,” which allows one to sign scripts digitally. This, in turn, verifies the script’s authenticity and ensures it has not been tampered with.

Avoid running unsigned scripts, as malicious scripts can be executed on the system.

Enable and Monitor PowerShell Logging

PowerShell offers robust logging capabilities, including

  • Script Block Logging
  • Module Logging, and
  • Transcription

These features allow for the maintenance of a detailed record of PowerShell activities, which can be further used to detect and investigate malicious actions.

You can view the logs in the Event Viewer under “Windows Logs” > “Application and Services Logs” > “Microsoft” > “Windows” > “PowerShell”

It is suggested that the logs are periodically checked to detect any suspicious activities.

The Bottom Line

Looking at all the above aspects, it’s safe to say that PowerShell execution policies are a fundamental pillar of system security. By properly managing and applying these, administrators can protect their systems from potential threats while ensuring that PowerShell remains a robust and secure tool for automation and administration.

Developers Guide

Software Signing Certificates

Protect your Application and Software from from Malicious Attacks and Vulnerabilities with Reputed Code Signing Certs.

Cheapest Code Signing Certificates

Related posts:

  1. What is PowerShell? Things to know about PowerShell Code Signing
  2. What is Remote Code Execution? Types, Impact, Technique and Prevention
  3. PowerShell Code Signing Best Practices for Signing Your Script
  4. What is Unrestricted Code Execution? How to Defend Organizations Against this Attack?
Janki Mehta

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.

Leave a comment

Your email address will not be published. Required fields are marked *