Understanding Powershell Security

Question 1

What three purposes do Powershell execution policies serve?

Answer 1

1, safety feature to control conditions a script can run
2. Prevent execution of malicious scripts
3. Scope execution of scripts to specific sessions

Question 2

What are Powershell execution policies?

Answer 2

Local Computer and Current user are stored in the registry

Is not a security system to restrict user actions, just certain types of execution

Can be set for Workstation, Current user, or particular session

Default exec policy on non’Windows is unrestricted and cannot be changed

Question 3

What Execution Policies are available?

Answer 3

All signed - execute scripts with an SSL cert
Bypass - ignores all policies
Remote signed - like all signed
Restricted - block and potentially not allow scripts to execute
Unrestricted - can run scripts with no questions

Question 4

Describe the All signed policy

Answer 4

Scripts can execute. Requires all scripts and config files be signed by a trusted published

Prompts you before running scripts not yet classified

Risk running signed malicious scripts

Question 5

Bypass policy

Answer 5

Nothing is blocked, no warning or prompts

Designed for config where ps script is what it is, and the foundation for a program that has its own security model. Adminless, no need to touch.

Question 6

Remote signed policy

Answer 6

Scripts can execute

Requires digital sig from trusted publisher

Doesn’t required digital signs on scripts that are written locally

Run scripts that are not signed, if the scripts are unblocked

Risk running unsigned and signed scripts that could be malicious

Question 7

restricted policy

Answer 7

Default exec policy for Win clients

Permits inidividual commands but does not allow scripts

Prevents running of all script files

Question 8

Unrestricted policy

Answer 8

Default policy for non’Win computers

Unsigned scripts can execute

Risk of running Mali scripts

Warns user before running scripts

Question 9

Powershell scopes

Answer 9

Process - Powershell session
Current user
Local machine

Question 10

What are the two Group policy based scopes?

Answer 10

Machine policy - set by a group policy for all users of the pc
User policy - set for current user of computer

Question 11

Review exec policy precedence

Answer 11

1. Process
2. Current User
3. Machine
4. Restricted (default policy)

Question 12

what is the ps command to get the execution policy precedence?

Answer 12

Get-ExecutionPolicy -List

Question 13

Setting execution policies

Answer 13

Can be assigned to the default scope or a specific scope

The default scope is LocalMachine, which affects everyone who uses the PC

Exec policies can be used for a single ps session

Question 14

How to set default exec policy?

Answer 14

Set-ExecutionPolicy

Question 15

Set an exec policy for the local machine scope

Answer 15

Set-ExecutionPolicy
- ExectionPolicy RemoteSigned
- Scope LocalMachine

Question 16

Set exec policy from a remote computer to a local computer

Answer 16

Invoke-Command
-ComputerName Computer
- ScriptBlock { Get-ExecutionPolicy } | Set-ExecutionPolicy

Question 17

What is invoke command?

Answer 17

Used to run a command on a remote machine

Question 18

Set exec policy for a single session

Answer 18

Set-ExecutionPolicy