A GPO was implemented to block execution of unsigned scripts but it looks like using powershell -noprofile bypasses this GPO. Anyone having suggestions/solutions/workarounds for this?
Hi,
The -noprofile doesn’t do that -ExecutionPolicy Bypass does,
This is how it is designed and cannot be blocked.
If there is a GPO set, then there is a reason behind it. I suggest you to get it signed.
I think Barts referring to Microsofts security model when it comes to powershell.
Kiran’s Doc goes through set-executionpolicy to give some options.
The concern is anyone can bypass the GPO setting to lock down the shell.
There is no work-around realistically from the shell or gpos for this.
There are only a couple of options available if you truly need to prevent code from being executed in the shell.
white-listing and black-listing of applications, both approaches can result in a rather large over-head to manage.
My approach to this has been to fully enable logging in our environment on any machine that supports it.
At least then we have detective controls, and a preserved history of all actions taken.
here is a really good read about security in powershell for enterprise customers.
ExecutionPolicy does not stop anyone from run PS code.
15 Ways to Bypass the PowerShell Execution Policy https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy
It’s design is to prevent the normal or even user from hurting themselves accidently. It is, nor has it ever been positioned as a security boundary.
If you are looking at securing your PS use cases, then think, code-signing, App restriction policies, constrained endpoints, Just Enough Admin, auditing and monitoring.