powershellexecutionpolicy

Why does PowerShell have an execution policy?


I understand sufficiently how the ExecutionPolicy works in PowerShell. Most of what I've seen and done is how to disable it. There's even a command-line flag to disable it (powershell -ExecutionPolicy Unrestricted ...).

So my question is why, not how. Why is this even a feature? In my experience it's more of a misfeature; the only thing it's ever done for me is to annoy me, between the time I see the "cannot be loaded because the execution of scripts is disabled on this system" error, and when I remember about that -ExecutionPolicy flag.

Why would PowerShell have such a feature? It's like a burglar alarm with an on/off switch on the outside of the building next to the front door.


Solution

  • Back in the dark days of ActiveX, if a user really wanted to run an ActiveX control from an untrusted source they could do so. The warnings that Internet Explorer gave were there to stop users inadvertently running malicious code not to prevent that code from ever running under any situation.

    Ultimately it is the user's browser, the user's computer, and they should have control over everything it does. The browser simply says 'hey, this could be bad...'

    The exact same principle is at work for PowerShell's execution policy. Once PowerShell is running it has access to all resources that the user has access to.

    So why can't I, as an administrator, prevent any unsigned script from running?

    Completely preventing a user from running a script would be impossible to administer, because if they have access to the PowerShell shell they can just run the commands within the script line by line.

    As an administrator, by giving the user access to PowerShell, you are trusting the user to run PowerShell code. Whether in script form, or by sitting and hacking away at the PowerShell prompt.

    The concept of an execution policy is a way to ensure where the script comes from. If a user has installed the appropriate certificate onto a machine, signed a script with it, then PowerShell will trust that script. PowerShell will trust the script, because the user trusts the certificate, because the certificate is in the users certificate store. If that user then runs a script that is believed to be trusted, but isn't signed by a trusted certificate it will warn the user that the script isn't trusted.

    Once you get to the stage where an unauthorised process can run,

    PowerShell.exe –ExecutionPolicy Bypass –File c:\temp\bad-script.ps1
    

    You have already lost your machine. If the user runs this, then following the same principles that allowed that user to run malicious ActiveX code, they will be allowed to run malicious PowerShell scripts.

    PowerShell will only warn that you're about to do something stupid. It can't stop a determined idiot.

    This was mostly rewritten (stolen) from PowerShell’s Security Guiding Principles.

    To wrap it around your analogy: Once the burglar has gotten past your electric fence, armed guards, and savage dogs, you might as well just let them press the button to turn the alarm off. It will save them ripping it off the wall and eating it.