1
00:00:00,840 --> 00:00:06,240
So firstly, what are PowerShell execution policies?

2
00:00:06,240 --> 00:00:10,680
Well, PowerShell execution policies serve three specific purposes.

3
00:00:10,680 --> 00:00:15,340
The first one is they are a safety feature to control the conditions

4
00:00:15,340 --> 00:00:19,440
that a PowerShell script can actually execute.

5
00:00:19,440 --> 00:00:21,760
They also prevent execution,

6
00:00:21,760 --> 00:00:26,140
or at least try to prevent execution of malicious scripts.

7
00:00:26,140 --> 00:00:26,910
And then, of course,

8
00:00:26,910 --> 00:00:32,520
you can scope the execution of those scripts to specific PowerShell sessions.

9
00:00:32,520 --> 00:00:36,910
So just because we set a blanket policy that says scripts can be executed,

10
00:00:36,910 --> 00:00:40,360
we can actually tie that down a little bit more.

11
00:00:40,360 --> 00:00:43,940
Execution policies for the local computer,

12
00:00:43,940 --> 00:00:47,660
so if you're on a Windows machine and the current user,

13
00:00:47,660 --> 00:00:51,750
are stored inside the registry, so when we execute the PowerShell command,

14
00:00:51,750 --> 00:00:55,720
it will change a flag in the registry to say,

15
00:00:55,720 --> 00:00:58,940
going forward, this is the value.

16
00:00:58,940 --> 00:01:03,920
The execution policy itself isn't necessarily a security system.

17
00:01:03,920 --> 00:01:08,640
It won't stop specific types of actions from taking place.

18
00:01:08,640 --> 00:01:13,610
It's just either to allow specific types of execution,

19
00:01:13,610 --> 00:01:17,390
but it won't stop, you know, someone who has full access

20
00:01:17,390 --> 00:01:20,170
from executing even malicious code.

21
00:01:20,170 --> 00:01:21,870
On a Windows computer,

22
00:01:21,870 --> 00:01:26,370
you can set the execution policy for either the local computer itself,

23
00:01:26,370 --> 00:01:28,940
for the currently logged‑in user,

24
00:01:28,940 --> 00:01:33,900
or for a particular PowerShell session that you may be in.

25
00:01:33,900 --> 00:01:38,720
For non‑Windows computers, it's always set to unrestricted,

26
00:01:38,720 --> 00:01:40,600
and there's no way of changing that.

27
00:01:40,600 --> 00:01:43,080
And that's purely based on the fact that it doesn't

28
00:01:43,080 --> 00:01:45,950
necessarily run all of the same objects,

29
00:01:45,950 --> 00:01:49,500
there's no .NET Framework, for example, there's no Windows components,

30
00:01:49,500 --> 00:01:51,030
there's no registry.

31
00:01:51,030 --> 00:01:54,120
So for non‑Windows it's always unrestricted,

32
00:01:54,120 --> 00:01:58,110
which means we can basically execute whatever we need to.

33
00:01:58,110 --> 00:02:01,180
The most important thing here is to understand that enforcement

34
00:02:01,180 --> 00:02:05,710
of policies only occurs on Windows platforms.

35
00:02:05,710 --> 00:02:11,040
There's no way of enforcement on anything else at the moment.

36
00:02:11,040 --> 00:02:15,340
So what are the PowerShell execution policies that are available to us?

37
00:02:15,340 --> 00:02:19,660
Well, there were five of them that are the main ones that we would utilize.

38
00:02:19,660 --> 00:02:21,690
The first one is AllSigned,

39
00:02:21,690 --> 00:02:24,700
which means it will execute any of the scripts that have

40
00:02:24,700 --> 00:02:27,240
been signed with an SSL certificate.

41
00:02:27,240 --> 00:02:31,170
Bypass means it just doesn't do anything.

42
00:02:31,170 --> 00:02:34,940
It just ignores any of the policies and will let you do whatever is needed.

43
00:02:34,940 --> 00:02:38,940
We then have remotely signed, which is kind of like the AllSigned.

44
00:02:38,940 --> 00:02:40,770
We then have the two most common,

45
00:02:40,770 --> 00:02:45,190
which would be Restricted and Unrestricted. Restricted means it's

46
00:02:45,190 --> 00:02:49,030
going to block and potentially not allow scripts to execute.

47
00:02:49,030 --> 00:02:52,550
Unrestricted means that you can just go ahead and execute

48
00:02:52,550 --> 00:02:54,350
whichever script is sent to you.

49
00:02:54,350 --> 00:02:57,490
So if I create a PS1 file with a bunch of code in it,

50
00:02:57,490 --> 00:03:00,840
you could just run it with no questions whatsoever.

51
00:03:00,840 --> 00:03:02,540
So let's talk about each one of these.

52
00:03:02,540 --> 00:03:06,030
First off, let's talk about the AllSigned policy.

53
00:03:06,030 --> 00:03:09,840
This allows scripts to be executed.

54
00:03:09,840 --> 00:03:12,360
Now, it does require that all the scripts and the

55
00:03:12,360 --> 00:03:16,660
configuration files are signed by a trusted publisher.

56
00:03:16,660 --> 00:03:17,680
So, for example,

57
00:03:17,680 --> 00:03:19,840
you've seen components on a Windows machine that are

58
00:03:19,840 --> 00:03:22,110
signed by Microsoft certificates.

59
00:03:22,110 --> 00:03:25,140
It would need to be along those similar lines.

60
00:03:25,140 --> 00:03:28,370
It will prompt you before you run the scripts for anything that

61
00:03:28,370 --> 00:03:31,760
isn't classified as trusted or untrusted, so you have to go

62
00:03:31,760 --> 00:03:35,240
through an exercise to say this is trusted.

63
00:03:35,240 --> 00:03:36,290
However,

64
00:03:36,290 --> 00:03:40,200
there is a risk here of allowing malicious scripts

65
00:03:40,200 --> 00:03:43,660
that have been signed to be executed.

66
00:03:43,660 --> 00:03:46,420
So this is going to be a common thing across each of the

67
00:03:46,420 --> 00:03:50,270
types of execution policies, that there is really no way to

68
00:03:50,270 --> 00:03:53,440
truly block malicious scripts.

69
00:03:53,440 --> 00:03:56,260
That's really down to you having to look at the scripts and

70
00:03:56,260 --> 00:04:00,040
determine whether you wish to execute them or not.

71
00:04:00,040 --> 00:04:02,840
Our next one is the Bypass policy.

72
00:04:02,840 --> 00:04:06,700
This basically just says nothing is blocked, and there's no warnings,

73
00:04:06,700 --> 00:04:07,530
no prompts.

74
00:04:07,530 --> 00:04:09,840
You can basically do whatever you need to.

75
00:04:09,840 --> 00:04:12,160
The execution policy is designed,

76
00:04:12,160 --> 00:04:16,180
really, not for end users or admins. It's designed for

77
00:04:16,180 --> 00:04:20,240
configurations in which the PowerShell script is kind of

78
00:04:20,240 --> 00:04:22,310
what's making the program work.

79
00:04:22,310 --> 00:04:23,010
So, for example,

80
00:04:23,010 --> 00:04:26,090
you may have known in years past that things like Exchange

81
00:04:26,090 --> 00:04:29,450
Server, when they built new versions of Exchange,

82
00:04:29,450 --> 00:04:32,330
they actually built the PowerShell layer first and then

83
00:04:32,330 --> 00:04:34,210
wrote the user interface over the top.

84
00:04:34,210 --> 00:04:37,670
So we're kind of talking about something that heavily requires on a

85
00:04:37,670 --> 00:04:40,990
PowerShell script to run and doesn't necessarily require you as an

86
00:04:40,990 --> 00:04:43,710
admin or an end user to actually do anything.

87
00:04:43,710 --> 00:04:44,940
Also,

88
00:04:44,940 --> 00:04:49,470
for applications that have their own security models but utilize PowerShell,

89
00:04:49,470 --> 00:04:50,990
this is the perfect option.

90
00:04:50,990 --> 00:04:54,300
But this should not be a choice that's given to regular

91
00:04:54,300 --> 00:04:59,060
users. So the next policy is RemoteSigned.

92
00:04:59,060 --> 00:05:03,230
This allows execution of scripts, as always. It does

93
00:05:03,230 --> 00:05:06,640
require a digital signature from a trusted publisher, so

94
00:05:06,640 --> 00:05:09,050
very much like the AllSigned policy.

95
00:05:09,050 --> 00:05:13,110
It doesn't require a digital signature on anything that you write locally.

96
00:05:13,110 --> 00:05:16,530
So if you create your own PS1 file, and you want to

97
00:05:16,530 --> 00:05:18,200
execute it on a Windows machine,

98
00:05:18,200 --> 00:05:23,040
that's perfectly fine and there's no need for any signatures to be assigned.

99
00:05:23,040 --> 00:05:26,840
It will run scripts that are not signed if those scripts

100
00:05:26,840 --> 00:05:31,040
have been unblocked. So obviously by default it is going to

101
00:05:31,040 --> 00:05:33,140
block some of those scripts.

102
00:05:33,140 --> 00:05:36,750
There is also the risk of running unsigned scripts and

103
00:05:36,750 --> 00:05:38,600
signed scripts that could be malicious.

104
00:05:38,600 --> 00:05:42,390
So like I mentioned before, there's still no magical way of saying,

105
00:05:42,390 --> 00:05:46,540
don't run or execute that malicious code.

106
00:05:46,540 --> 00:05:49,330
Our next one is Restricted policy.

107
00:05:49,330 --> 00:05:54,140
This is the default execution policy for Windows client computers.

108
00:05:54,140 --> 00:05:59,040
So by default it's going to block those scripts from being executed.

109
00:05:59,040 --> 00:06:01,650
It will permit individual commands.

110
00:06:01,650 --> 00:06:05,160
So, for example, you could say Get‑ComputerInfo,

111
00:06:05,160 --> 00:06:08,550
for example, but it won't allow you to run a full

112
00:06:08,550 --> 00:06:10,440
script that you may have written.

113
00:06:10,440 --> 00:06:14,240
It will also prevent running of all script files,

114
00:06:14,240 --> 00:06:18,770
so you'll need to either determine a different policy or if that's

115
00:06:18,770 --> 00:06:21,740
the policy you're going to apply, then maybe you need to look at a

116
00:06:21,740 --> 00:06:25,270
session‑based policy instead. Then lastly,

117
00:06:25,270 --> 00:06:27,640
we have Unrestricted policy.

118
00:06:27,640 --> 00:06:32,710
So an Unrestricted policy is the default policy for non‑Windows computers, so,

119
00:06:32,710 --> 00:06:38,040
for example, like a Mac or something else. Unsigned scripts can execute.

120
00:06:38,040 --> 00:06:41,000
There's a massive risk of running malicious scripts

121
00:06:41,000 --> 00:06:43,840
because it'll basically execute anything.

122
00:06:43,840 --> 00:06:48,440
It will warn the user before running scripts and configuration files

123
00:06:48,440 --> 00:06:51,640
that are not technically classed as local internet zone, kind of like

124
00:06:51,640 --> 00:06:58,000
the browser. But for all intents and purposes, it will execute whatever is needed.