Security risks when bypassing the Execution Policy in PowerShell?

3

I know that you can bypass the current execution policy in PowerShell by passing -ExecutionPolicy Bypass at the command line, but what does this actually do?

I know it allows scripts to run, but I'm assuming it stops a standard user from running cmdlets that could compromise a system/network?

If you're asking why I want to let standard users run PowerShell scripts, we basically have an application on the network that has a number of switches that can be passed to it. At times, the user may need to changes these switches. So I'm thinking PowerShell might be the best way forward.

The script looks like this:

$app = "C:\Path\To\Application.exe"
$path = "C:\Path\To\File.dat"
$switches = @('/switch1', '/switch2', '/switch3')

Start-Process $app "-File ""$path"" ""$switches"""

Jake

Posted 2015-11-22T15:52:01.607

Reputation: 205

Answers

2

Let's start with the basic default ExecutionPolicy which is Restricted:

Restricted
1. Permits individual commands, but will not run scripts.
2. Prevents running of all script files, including formatting and configuration files (.ps1xml), module script files (.psm1), and Windows PowerShell profiles (.ps1).

If you bypass the ExecutionPolicy, you'd be allowing any Windows PowerShell script to be run either this is created by someone internally or downloaded...

Bypass
1. Nothing is blocked and there are no warnings or prompts.
2. This execution policy is designed for configurations in which a Windows PowerShell script is built in to a larger application or for configurations in which Windows PowerShell is the foundation for a program that has its own security model.

You're probably best setting the ExecutionPolicy to either RemoteSigned (therefore signing your PowerShell scripts) or Unrestricted (making those running this script ensure it's the correct one as they'll receive a popup).

You can take a more in-depth read into each ExecutionPolicy type on Microsoft's about_ExecutionPolicies article.

Joe S

Posted 2015-11-22T15:52:01.607

Reputation: 570

I think changing the execution policy might be a bit too much in this case. So I might just go back to lovely batch scripts instead. But at least now I know what Bypass actually does. Thanks. – Jake – 2015-11-25T07:14:37.610

Asked: 2015-11-22T15:52:01.607

Viewed: 2 779 times

Active: 2015-11-24T20:56:45.420