none
Blocking bypassing of powershell execution policy RRS feed

  • Question

  • Hi!

    I was wondering if there is a possibility to block bypassing of ExecutionPolicy in powershell. Let's say we have a bat file containing a script:

    Powershell -ex bypass -ec "some base64 encoded script"

    I want the script to fail on bypassing powershells execution policy. Is it possible? Preferably through GPO.

    Above example is of a script downloading and executing a malicious exe file. I want to block such scripts from properly executing, without disabling Powershell on the machine.

    Monday, December 11, 2017 4:32 PM

Answers

  • Execution policy is an administrator safety feature, not a security feature. It is widely misunderstood.

    You cannot fully prevent PowerShell from ever executing scripts because that's one of its core purposes. You can set the policy to prevent scripts or allow only signed scripts (for example), but anyone with access to run powershell.exe can use the -ExecutionPolicy command-line parameter to bypass this on a case-by-case basis.


    -- Bill Stewart [Bill_Stewart]

    Monday, December 11, 2017 6:24 PM
    Moderator

All replies

  • I was wondering if there is a possibility to block bypassing of ExecutionPolicy in powershell.

    No. Why do you need to block PowerShell scripts from executing?

    Execution policy is not a security feature. It is a an administrator safety feature.


    -- Bill Stewart [Bill_Stewart]

    Monday, December 11, 2017 4:51 PM
    Moderator
  • Antivirus or a web filter would be better suited for this issues. PowerShell and Batch aren't security programs so antivirus and other security programs are needed.
    Monday, December 11, 2017 4:53 PM
  • I know that an antivirus is needed (it's installed) but not all threats are recognized by it at the start of a campaing.

    Blocking the possibility to change or bypass execution policy is an additional step to prevent malicious scripts from executing on a standard users machine.

    Regardless to why I wan't to block change (or bypass) of execution policy I would like to know how to do it or is it even possible.

    Monday, December 11, 2017 5:19 PM
  • You can set a restricted execution policy, but again, it is not a security feature but an administrator safety feature.

    PowerShell is an executable. The fact that it can run scripts does not mean that it is possible for users to bypass security somehow. Any script that runs, it runs in that user's context. Scripts cannot bypass system security because security is part of the user account, not an executable.

    What you are asking for is basically pointless because it is based on a misunderstanding.


    -- Bill Stewart [Bill_Stewart]

    Monday, December 11, 2017 5:28 PM
    Moderator
  • You can use GP based policy to block all execution of PowerShell filtered by user or group.  This may create failures as PowerShell is required for many programs so you will have to be very careful in how you deploy this.

    It is not necessary to block PowerShell however you should not be using PS 2 on any systems at this point.  Upgrade all and remove PS2 support.


    \_(ツ)_/

    Monday, December 11, 2017 6:14 PM
  • Execution policy is an administrator safety feature, not a security feature. It is widely misunderstood.

    You cannot fully prevent PowerShell from ever executing scripts because that's one of its core purposes. You can set the policy to prevent scripts or allow only signed scripts (for example), but anyone with access to run powershell.exe can use the -ExecutionPolicy command-line parameter to bypass this on a case-by-case basis.


    -- Bill Stewart [Bill_Stewart]

    Monday, December 11, 2017 6:24 PM
    Moderator
  • Thanks for your input guys! I though that forcing a specific execution policy could be used as a additional step towards a safer system. Guess I was wrong.
    Tuesday, December 12, 2017 7:59 PM