stackoom
  简体   繁体   中英

Security risks of Set-ExecutionPolicy -ExecutionPolicy RemoteSigned

 原文  2020-10-24 07:50:48       typescript/ powershell/ npm/ npm-scripts

Question

To execute some commands like installing typescript via NPM , Sometimes it is needed to execute:

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned

in PowerShell, When you want change this policy, it warns that:

Changing the execution policy might expose you to the security risks

My question is, anyone knows what are the security risks of doing such an action? is there any chance that famous packages like typescript leads to security problems?

2 answers

solution1
 2  2020-10-24 08:05:26

There is very little risk involved with RemoteSigned, Basically this lets you execute unsigned scripts (scripts you write) only in local computer, while scripts from a remote source (From inte.net) must be signed by a trusted authority. The only security risk is that someone might write malicious script on your local computer and you execute it without knowing what is it. This is the most recommended . Default on Server editions.

And Unrestricted in highly insecure, letting you to run unsigned scripts from any source. This is not recommended .

And Restricted is too annoying, signed scripts even could not run, only interactive sessions. This is default on desktop editions.

solution2
 0  2020-10-24 14:05:34

PowerShell execution policies are made, more to avoid a wrong script execution by error, than for security purposes.

Remember the Bypass ExecutionPolicy who does not care about execution policies. The only way to block this, is to block it by group policies.

But even with it, user who wants to execute a script can always do it. Try the above code in an environment lab where you have blocked scripts by group policy, then run this code in PowerShell, do not exit PowerShell and try to run any script, it will run:

$context = $ExecutionContext.GetType().GetField('_context', 'NonPublic, Instance').GetValue($ExecutionContext)
$field = $context.GetType().GetField('_authorizationManager', 'NonPublic, Instance')
$field.SetValue($context, (New-Object System.Management.Automation.AuthorizationManager 'Microsoft.PowerShell'))

It is a long time that malwares use PowerShell, whatever are the execution policies.

So as Wasif said, you can use RemoteSigned without any remorse;)

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Are there any security risks using subjects in Angular this way? How do I set the the security group of a service to the default security group when using CDK React Security on state management Defining Firebase Security Rules Spring Security + Angular 7 | LDAP Authentication How to use a VPC default security group as a peer for another security group? Security multi-company association Firestore Security rules with payment form best place for save security info in angular 8 error code 2, security Error: typescript blob
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM