Prevent bypassing PowerShell execution policy

We have PowerShell installed on our RDS environment. It's currently being used for tasks like remote management and App-V virtual application publishing. To my understanding, it's fairly easy to bypass a restricted execution policy.

I can't however find any useful information on preventing bypassing the execution policy (or making it a lot harder). I was thinking about using file screening (AppLocker) for blocking PowerShell files, but I guess then attackers could just use a VBA script attached to an Microsoft Office file to execute a PowerShell script.

For now we focus on monitoring, but I would like more attention on preventing.

Actually, there are ways to prevent misuse of PowerShell (and making bypassing the execution policy quite useless):

1. Configure AppLocker: also lockdown scripts
2. Configure PowerShell to use Constrained Mode so .NET code can't be executed
3. For your own scripts that should support .NET code you can sign the scripts with a code signers certificate (these will be allowed to run with constrained mode + AppLocker)

Besides that, configuring logging of all PowerShell commands and sending them through a central location (so an IDS can monitor this) is also a good practice.

See Detecting Offensive PowerShell Attack Tools for more detailed information about how to achieve this.