Risks/Best practices on execution policy

  • While it would be easy to set the execution policy to unrestricted, or possibly set it to unrestricted in an agent job, do the work, then set back to restricted, I'm wondering what the best practices are.

    Restricted - No scripts can be run. Windows PowerShell can be used only in interactive mode.

    AllSigned - Only scripts signed by a trusted publisher can be run.

    RemoteSigned - Downloaded scripts must be signed by a trusted publisher before they can be run.

    Unrestricted - No restrictions; all scripts can be run.

  • I tend to set it to RemoteSigned as opposed to Unrestricted as this is just too open for me. This does leave it open for anyone who has control of the machine, however, my thinking is that they could set the execution policy by that point anyway.

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • That sounds right, will have to see if group policy will change it

  • FWIW I tend to use RemoteSigned on new machines. It's a decent blend that lets me do what I need to do but is not completely open.

    Indianrock (3/3/2013)


    While it would be easy to set the execution policy to unrestricted, or possibly set it to unrestricted in an agent job, do the work, then set back to restricted

    You do not need to change the execution policy for the server and in truth I think it's risky in case where someone/something else might be running PowerShell at the same time you were changing the policy. There is a switch on powershell.exe that lets us change the execution policy only for the duration of that instance of just that session.

    See the -ExecutionPolicy option:

    PowerShell.exe Command-Line Help

    When used in conjunction with -File or -Command we can let certain scripts work outside the execution policy set on the server. This is how I work around the issue I think you are facing, by running my scripts via powershell.exe in a CmdExec Agent Job Step Type and passing -ExecutionPolicy Bypass along with -File or -Command.

    There are no special teachers of virtue, because virtue is taught by the whole community.
    --Plato

  • opc.three is right.

    The following is an extract from the help of Set-Execution-Policy:

    -Scope <ExecutionPolicyScope>

    Specifies the scope of the execution policy. The default is LocalMachine.

    Valid values are:

    -- Process: The execution policy affects only the current Windows PowerShell process.

    -- CurrentUser: The execution policy affects only the current user.

    -- LocalMachine: The execution policy affects all users of the computer.

    To remove an execution policy from a particular scope, set the execution policy for that scope to Undefined.

    Required? false

    Position? 2

    Default value LocalMachine

    Accept pipeline input? true (ByPropertyName)

    Accept wildcard characters? false

    So I think you are looking for Set-Execution-Policy -Scope Process

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • Thanks to opc.three and Gary. That looks like just what I need. Powershell is shaping up to be a very useful tool. I just downloaded Idera's PowershellPlus to check it out. Our new Netapp backup tools use powershell cmdlets so this may be another area where the "scoped execution policy" will be helpful. Since our sql boxes seem to be set to Restricted, I doubt anybody but me is using powershell here (yet)

Viewing 6 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic. Login to reply