Q
Get started Bring yourself up to speed with our introductory content.

How can you use Group Policy to tighten PowerShell security?

PowerShell can unlock a lot of management capabilities for IT, but it is also a potential security gap. Put Group Policy to work to fill in the hole.

Windows PowerShell is the engine that makes the operating system run. It can also serve as a back door into your organization, so locking it down is critical.

PowerShell, an interactive command-line scripting shell, is designed to allow you to automate desktop and application management tasks. It is so well suited for Windows management because it has deep insight into the operating system. Nearly anything you can do with the graphical user interface (GUI) in a management tool, you can also do with PowerShell. In fact, there are some management tasks, such as Desired State Configuration, you can only perform in PowerShell. This is especially true for some of Microsoft's server products such as Exchange.

Because it is so in tune with Windows, PowerShell security is crucial. You must prevent any malicious exploitation. As such, Microsoft put some safeguards in place. For example, PowerShell is subject to the same permissions and restrictions as GUI management tools. If a user lacks the authority to perform an administrative action through a GUI, he will not be able to perform the action in PowerShell, either.

Use execution policies for PowerShell security

Because it is so in tune with Windows, PowerShell security is crucial. You must prevent any malicious exploitation.

Microsoft's main PowerShell security mechanisms are execution policies built into the command line itself. An execution policy's job is to maintain control over the execution of PowerShell scripts. For example, an administrator may wish to only allow scripts to execute if the scripts have been digitally signed.

From a Windows device, you can check the current execution policy setting by using the Get-ExecutionPolicy cmdlet. Similarly, you can use the Set-ExecutionPolicy cmdlet to assign an execution policy. For example, if you wanted to set the execution policy to Restricted, you would type: Set-ExecutionPolicy Restricted

Group Policy provides a better way

Although the cmdlet technique works, it is a manual process. As an alternative, you can use a Group Policy setting to configure the PowerShell execution policy. To do so:

  1. Open the Group Policy Editor.
  2. Navigate through the console tree by clicking Computer Configuration, then Administrative Templates, then Windows Components and finally Windows PowerShell.
  3. Double click on the policy setting called Turn on Script Execution. The Group Policy Editor will open the Turn on Script Execution policy setting.
  4. Choose the Enable option for this policy setting. Upon doing so, you will be given the option of assigning an execution policy. Your choices include: Allow Only Signed Scripts, Allow Local Scripts and Remote Signed Scripts, and Allow All Scripts.

Next Steps

How to use PowerShell in Exchange

Put PowerShell to work

Twenty-five PowerShell commands to know

This was last published in April 2017

PRO+

Content

Find more PRO+ content and other member only offers, here.

Essential Guide

The go-to Windows PowerShell guide

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What other steps can protect PowerShell from security breaches?
Cancel

-ADS BY GOOGLE

SearchVirtualDesktop

SearchWindowsServer

SearchExchange

Close