block unsigned scripts when using powershell -nop

A GPO was implemented to block execution of unsigned scripts but it looks like using powershell -noprofile bypasses this GPO. Anyone having suggestions/solutions/workarounds for this?

Hi,

 

The -noprofile doesn’t do that -ExecutionPolicy Bypass does,

This is how it is designed and cannot be blocked.

[pre]powershell.exe -ExecutionPolicy Bypass[/pre]

For more details visit Microsoft Docs

If there is a GPO set, then there is a reason behind it. I suggest you to get it signed.

I think Barts referring to Microsofts security model when it comes to powershell.
Kiran’s Doc goes through set-executionpolicy to give some options.

The concern is anyone can bypass the GPO setting to lock down the shell.

There is no work-around realistically from the shell or gpos for this.

There are only a couple of options available if you truly need to prevent code from being executed in the shell.
white-listing and black-listing of applications, both approaches can result in a rather large over-head to manage.

My approach to this has been to fully enable logging in our environment on any machine that supports it.
At least then we have detective controls, and a preserved history of all actions taken.

here is a really good read about security in powershell for enterprise customers.

https://blogs.msdn.microsoft.com/daviddasneves/2017/05/25/powershell-security-at-enterprise-customers/

ExecutionPolicy does not stop anyone from run PS code.

15 Ways to Bypass the PowerShell Execution Policy https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy

It’s design is to prevent the normal or even user from hurting themselves accidently. It is, nor has it ever been positioned as a security boundary.

If you are looking at securing your PS use cases, then think, code-signing, App restriction policies, constrained endpoints, Just Enough Admin, auditing and monitoring.