We currently have the execution policy set to “RemoteSigned” in our environment. This allows us to run PS scripts via SCCM packages, computer startup scripts, locally, etc. Our security wants to change it so that all scripts need to be signed to run. However, someone else in security mentioned they want to have the ability to run PS scripts locally on machines as there are various tools in the environment. To be exact, the concern was, “I am concerned of impact on IT staff both within and outside of IT, including my own team – would requiring signed scripts be limited to remote powershells or affect local powershell processes as well as command line and powershell interfaces? That would very likely be a showstopper.” What is the best practice when security wants to require signed scripts? I cannot enable remoting (WinRM) in the environment until the execution policy is changed.
I don’t know of any way to require signed scripts in a remote session (via Invoke-Command, Enter-PSSession, etc), while not requiring signed scripts in a local PowerShell session.
However, keep in mind that the Execution Policy is not a security barrier (unless you’re setting it via GPO), because anyone can just run powershell.exe -ExecutionPolicy Bypass .
Our execution policy is set via GPO. Is there a better way to do this for security while allowing only signed remote scripts? I don’t like the idea of signing everything, but I would really like to use remoting in our environment. Not sure how to allow only signed scripts, but allow users to run their own local scripts unless I set a startup script or something setting the execution policy to AllSigned instead of via GPO so users can change it via -ExecutionPolicy Bypoass. That creates a hole in security though.
The execution policy is not a security boundary. To quote Jeffry Snover “The reason why PowerShell has a -ExecutionPolicy BYPASS parameter is to make it absolutely clear that it isn’t a security layer.” https://twitter.com/jsnover/status/653717930320900096
Also see http://blogs.msdn.com/b/powershell/archive/2008/09/30/powershell-s-security-guiding-principles.aspx
As a best practice ensure that everyone understands that signing a script only creates a trusted data file. A user can still do everything in a unsigned script if they have access. Most notably execute the script by:
Typing the commands by hand
Paste the script into their PowerShell prompt
Call Invoke-Expression (Get-Content )
Call PowerShell –Command (Get-Content )
Also even with the execution policy set via gpo if the user has access to change it, it will change to the new value until group policy refreshes and enforces the gpo setting.