Automating the world one-liner at a time…
Over on the Microsoft.Public.Windows.PowerShell newsgroup Stefan had a number of questions about the following scenario:
I want to start ps1 scripts over UNC paths or mapped network shares. I tried to change the execution policy to unrestricted but I always get the following prompt:Security WarningRun only scripts that you trust. While scripts from the Internet can be useful, this script can potentially harm yourcomputer. Do you want to run \\blablabla\bla?[D] Do not run [R] Run once [S] Suspend [?] Help (default is "D"):
This has confused a number of people. That is because most of us never read the documentation. J If there is one piece of documentation you should read, it is about_signing.
Chainsaws are awesome tools but if you apply them to your leg – it will be a really bad day. So too, scripting is an awesome tool but if you make the wrong security decisions, it is going to be a bad day. This is why we ship PowerShell in RESTRICTED mode which allows interactive use but does not allow scripts to be run. As soon as you try to run a script, we give an error and tell you to read About_Signing.
PS> .\test.ps1File C:\Temp\wmi\test.ps1 cannot be loaded because the execution of scripts is disabled on this system. Please see "get-help about_signing" for more details.At line:1 char:11+ .\test.ps1 <<<<
About_Signing is designed to layout the security decisions you need to make and then detail their risks and benefits. Here is what it says about UNRESTRICTED:
Unrestricted - Unsigned scripts can run. - Scripts and configuration files that are downloaded from the Internet (including Microsoft Outlook, Outlook Express and Windows Messenger)
run after warning you that the file originated from the Internet. - Risks running malicious scripts.
What this is saying is that various tools (like IE and Outlook) tag downloaded content with origin information. PowerShell looks for this and when it detects that a script comes from the internet, we warn you and you have to make an explicit decision to run it or not. Think of this as the functional equivalent of having to put your foot on the brakes before you can put your car in reverse.
As a general rule, you need to be very careful running stuff you pulled down from the internet. If you've reviewed the script and found it to be trustworthy, you can remove its origin information by UNBLOCKING it from the properties dialog box in Explorer (Select the object in explorer, right click, select properties, unclick BLOCKED).
As a reminder, I've included the execution policy choices you have:
POWERSHELL EXECUTION POLICIES------------------------------The PowerShell execution policies are: Restricted - Default execution policy. - Permits individual commands, but scripts cannot run. AllSigned - Scripts can run. - Requires a digital signature from a trusted publisher on all scripts and configuration files, including scripts that you write on the local computer. - Prompts you before running scripts from trusted publishers. - Risks running signed, but malicious, scripts. RemoteSigned - Scripts can run. - Requires a digital signature from a trusted publisher on scripts and configuration files that are downloaded from the Internet (including e-mail and instant messaging programs). - Does not require digital signatures on scripts run from the local computer. - Does not prompt you before running scripts from trusted publishers. - Risks running signed, but malicious, scripts. Unrestricted - Unsigned scripts can run. - Scripts and configuration files that are downloaded from the Internet (including Microsoft Outlook, Outlook Express and Windows Messenger) run after warning you that the file originated from the Internet. - Risks running malicious scripts.
Jeffrey Snover [MSFT]Windows Management Partner ArchitectVisit the Windows PowerShell Team blog at: http://blogs.msdn.com/PowerShellVisit the Windows PowerShell ScriptCenter at: http://www.microsoft.com/technet/scriptcenter/hubs/msh.mspx
seems that you are talking about my newsgroup thread here. Glad to get your attention and your response. Just some things to clarify:
I read the documentation and I already tried the makecert tool to create my certificates. I was not able to deploy these certificates in my target domain using AD and GPO or something else.
The "unrestricted" path was considered because we already took a lot of security measures to ensure that the scripts in that UNC are only accessible from certain users and are originated from us.
Regarding the tagging: I didn't download any scripts from the internet nor did I get them through outlook. All scripts were created on a admin workstation using Explorers right-click, New, Text Document, renamed it to ps1. I used Visual Studio or PowerShell Analyzer to edit the script. Due to our (already very secure) deployment policy I have to get the script into my target environment using a special deployment path. So essentially the scripts gets copied there using xcopy or something like this.
So how can this script be tagged. Is a copy over the network already enough to get tagged?
Thanks again for looking into this and I am very happy to hear your suggestions and tips...
One more update:
I realized that one of my testscripts dot sourced a file from our netlogon share which was specified \\domain.subdomain\netlogon\setvariables.ps1
It seems that power shell thinks that domain.subdomain is a location in the internet. How can I tell powershell that this is actually intranet? I already tried to change the intranet settings in the internet explorer security options.
I sometimes use unrestricted execution policy on my development box (as opposed to resigning scripts over and over during development). With this policy, when I execute a script from a network drive (UNC or mapped drive), I get prompted to actually run the script. If I copy the scripts to local disk, the prompt does not occur.
Does PowerShell treat network locations as "originated from the Internet"?
PowerShell treats UNC paths as trusted, unless the configuration of internet zones place the computer in the Internet zone (or worse.)
Internet Explorer's "Enhanced Security Configuration" by default doesn't trust any UNC paths -- so the solution is to add the machines on that UNC path to the trusted sites list.
These two keys hold the security settings for the regular domain trust and enhanced security configuration trust, respectively:
Jay wrote: I think this should help (read the comments also): [link]
I created the file on the Win 2003 server.
I am trying to run as batch. The file runs fine interactively.
My execution-policy is unrestricted.
I am getting the "Run only scripts that you trust. While scripts from the Internet can be useful,"...
Which is not conducive to running in batch. If the policy is unrestricted, then why is it restricting me from running the script?
FYI: I added an UNC to the trusted sites in IE under Windows Server 2008. This yielded the above mentioned keys, except for the 'host' at the end of the key name. The machines are both in workgroup mode and I was using only the machine name to access the UNC.
I added the file I was I wanted to execute to the trusted intranet trusted sties. In IE8 Tools >> Internet Options >> Security >> Local intranet >> Sites >> Advanced. I then added F:\BatFiles\Prod\itunes_refresh_podcast.bat and it automaticly changed it to file://maindt maindt is the name of the computer with the file resides. After I did that it added a registry key that was simular to the one mententioned above and then my powershell script worked as expected.
after much frustration - here's the script to add a machine to the trusted zone (no reboot required)
$machineName = "MYMACHINENAME"
new-item -path "hkcu:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\$machineName"
New-ItemProperty "hkcu:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\$machineName" -Name * -Value 1 -PropertyType dword
Do you have any suggestions for someone who would want to create a session to a remote host within powershell, this session should have full access to the filesystem and create a unc path visible when the command 'net use' is run from the CLI.
Basically, a persistant UNC session.
Thanks in advance :)
@Jeff Binning. I had the same issue and resolved it by right-clicking the file and select Unblock from Properties. This can happen if you downloaded a script or compressed file (containing scripts) from an untrusted source.