stackoom
  简体   繁体   中英

PowerShell execution policy subverted by a powershell.exe parameter

 原文  2014-02-06 22:42:57       powershell

Question

In PowerShell, is there an advantage to a restrictive execution policy besides trying to control which script files can run?

By default, PowerShell scripts are not allowed to run, but it seems like if a malicious party wants to run PowerShell script they can just bootstrap into it using a BAT file that calls PowerShell with the -ExecutionPolicy parameter set to "bypass".

Am I missing something, or does this defeat the execution policy mechanism? Why sign scripts (which looks like quite a hassle ) when you can just make the execution policy less restrictive?

Below is a BAT script I wrote that creates an unsigned .ps1 file and runs it. It works on a machine with the execution policy of Restricted , which should disallow scripts. UAC is on and no elevation prompt is shown. It even dials out to the Internet and gets the latest headline of the "Hey, Scripting Guy!" blog. 

echo write-host "`r`nPowershell code running on $(hostname).`r`n`r`nHere's the latest headline from the 'Hey, Scripting Guy!' blog: '$(([xml](New-Object Net.WebClient).DownloadString("http://blogs.technet.com/b/heyscriptingguy/atom.aspx")).feed.entry[0].title)'.`r`n`r`nPress Enter to close.`r`n"; read-host > script.ps1
powershell -ExecutionPolicy bypass -Command .\script.ps1

2 answers

solution1
 0  2014-02-06 22:45:20

The default PowerShell execution policy of disallowing scripts is useful for little more than preventing accidental invocations of the script. It can be trivially violated, even on earlier versions of powershell which didn't have the per instance parameter, by doing the following

  • Open any script you want to run in notepad
  • Copy the contents to the clipboard
  • Paste the clipboard to an instance of powershell

Anyone who really wants to run a script can do so using this or a variety of other mechanisms. It's only really useful for preventing unintentional execution of scripts

solution2
 0 ACCPTED  2014-02-06 22:53:04

The execution policy will prevent someone from modifying an existing script that's being run by someone else, or as an automated process (eg a scheduled task). From a security standpoint, using that .bat file is no different that compiling code to do the same thing into an .exe.

Also, the -ExecutionPolicy parameter doesn't work when the execution policy is set via local/group policy on the machine (per Ansgar's comment on the question).

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Passing parameter through powershell.exe Passing parameter Array to powershell.exe Pass a Hashtable as Parameter to powershell.exe Switch parameters and powershell.exe -File parameter powershell.exe -file string array as parameter Powershell.exe No Output Calling powershell.exe giving parameter set errors Better PowerShell hosts than powershell.exe? How to exit PowerShell.exe inside of CMD Start-Process powershell.exe with an argument
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM