Set-ExecutionPolicy -ExecutionPolicy RemoteSigned 的安全风险
[英]Security risks of Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
问题描述
To execute some commands like installing typescript via NPM , Sometimes it is needed to execute:
要执行一些命令,例如通过NPM installing typescript ,有时需要执行:
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
in PowerShell, When you want change this policy, it warns that:在 PowerShell 中,当您要更改此策略时,它会警告:
Changing the execution policy might expose you to the security risks
My question is, anyone knows what are the security risks of doing such an action?我的问题是,任何人都知道执行此类操作的安全风险是什么? is there any chance that famous packages like typescript leads to security problems?像 typescript 这样的著名软件包是否有可能导致安全问题?
2 个解决方案
解决方案1
2 2020-10-24 08:05:26
There is very little risk involved with RemoteSigned, Basically this lets you execute unsigned scripts (scripts you write) only in local computer, while scripts from a remote source (From inte.net) must be signed by a trusted authority. RemoteSigned 涉及的风险非常小,基本上,这允许您仅在本地计算机上执行未签名的脚本(您编写的脚本),而来自远程源(来自 inte.net)的脚本必须由受信任的机构签名。 The only security risk is that someone might write malicious script on your local computer and you execute it without knowing what is it.唯一的安全风险是有人可能会在您的本地计算机上编写恶意脚本并且您在不知道它是什么的情况下执行它。 This is the most recommended .这是最推荐的。 Default on Server editions.服务器版本的默认值。
And Unrestricted in highly insecure, letting you to run unsigned scripts from any source.并且在高度不安全的情况下不受限制,让您可以从任何来源运行未签名的脚本。 This is not recommended .不推荐这样做。
And Restricted is too annoying, signed scripts even could not run, only interactive sessions.而且Restricted太烦人了,连签名的脚本都跑不了,只能交互会话。 This is default on desktop editions.这是桌面版的默认设置。
解决方案2
0 2020-10-24 14:05:34
PowerShell execution policies are made, more to avoid a wrong script execution by error, than for security purposes.制定了 PowerShell 执行策略,更多的是为了避免因错误执行错误的脚本,而不是出于安全目的。
Remember the Bypass ExecutionPolicy who does not care about execution policies.记住不关心执行策略的Bypass ExecutionPolicy。 The only way to block this, is to block it by group policies.阻止它的唯一方法是通过组策略阻止它。
But even with it, user who wants to execute a script can always do it.但即使有了它,想要执行脚本的用户也可以随时执行。 Try the above code in an environment lab where you have blocked scripts by group policy, then run this code in PowerShell, do not exit PowerShell and try to run any script, it will run:在已按组策略阻止脚本的环境实验室中尝试上面的代码,然后在 PowerShell 中运行此代码,不要退出 PowerShell 并尝试运行任何脚本,它将运行:
$context = $ExecutionContext.GetType().GetField('_context', 'NonPublic, Instance').GetValue($ExecutionContext)
$field = $context.GetType().GetField('_authorizationManager', 'NonPublic, Instance')
$field.SetValue($context, (New-Object System.Management.Automation.AuthorizationManager 'Microsoft.PowerShell'))
It is a long time that malwares use PowerShell, whatever are the execution policies.恶意软件使用 PowerShell 已经很长时间了,无论执行策略如何。
So as Wasif said, you can use RemoteSigned without any remorse;)因此,正如 Wasif 所说,您可以毫无悔意地使用 RemoteSigned;)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.