Are you afraid to use PowerShell in your environment due to security concerns? Are there security concerns in your organization that prevent you from using PowerShell?
PowerShell security is not always as it appears. Sometimes, perceptions can be irrational. PowerShell is more secure than other scripting languages.
First generation: batch files
Let’s start with the ancestor to all scripting in Windows IT: batch files. Batch files were around since the DOS era in the mid-1980s. Many IT administrators still use them today. They can be used as executable programs. To run them, double-click. They can be executed directly from the current directory without any path qualifier. Digital signing is not supported by the system.
Batch files have the power to run any executable, command-line tool or other batch file. All executable programs can run with the same privileges that the command prompt.
Second generation: VBscript
VBscript was the second version of scripting in a Windows IT environment. These scripts were created in the late 1990s to be more programmer-oriented tools for managing Windows and automation. VBscript quickly became a powerful IT management tool for Windows. VBscripts can also be double-clicked to execute them. They can be executed directly from the current folder, without any path qualifiers. They do not come with an inherent digital signing option. VBscripts, just like batch files, will run with the same privileges that the command prompt which launched them or the user who double clicked them.
PowerShell: Third generation
PowerShell is the third and most recent generation of Windows scripting. PowerShell was introduced in 2008 with Windows Vista, Server 2008 R1, and opened up a new era of command-line tools for Windows administrators.
PowerShell can’t do everything that you couldn’t do before. These same tasks are made much easier by PowerShell. PowerShell designers chose a “secure by default” approach. PowerShell scripts cannot be considered executable programs. To run them, you can’t double-click. To run them, you must always specify a relative or full path. Digital signing is allowed.
PowerShell scripts can be run in the same context that the PowerShell prompt they are running from, much like batch files or VBscripts. PowerShell scripts cannot be run on Windows Client Operating systems and Windows Servers above Server 2012 R1.
Four levels of Powershell’s execution policy
PowerShell scripts must be executed on a machine at the appropriate level in order to run successfully
* Restricted
* AllSigned
* RemoteSigned
* Urestricted or Bypass
RemoteSigned is the default for Windows Server 2012 R2 & Server 2016; all other operating systems are set up to Restricted. This means that scripts won’t run. RemoteSigned prohibits the use of untrusted scripts (unsigned) that have been downloaded from outside sources. It will be trusted if a script was written and saved from your domain.
Any script without a trusted signature will be blocked from running under the AllSigned policy. This level is the most secure, but it comes with the greatest administrative overhead as every script must be signed each time a script is modified.
Signatures are not required for the Unrestricted or Bypass modes. This mode can be dangerous and should not be used in production environments.
You can set the execution policy level either by using the Set-ExecutionPolicy command, or using Group Policy settings
