BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
Windows PowerShell is the engine that makes the operating system run. It can also serve as a back door into your...
organization, so locking it down is critical.
PowerShell, an interactive command-line scripting shell, is designed to allow you to automate desktop and application management tasks. It is so well suited for Windows management because it has deep insight into the operating system. Nearly anything you can do with the graphical user interface (GUI) in a management tool, you can also do with PowerShell. In fact, there are some management tasks, such as Desired State Configuration, you can only perform in PowerShell. This is especially true for some of Microsoft's server products such as Exchange.
Because it is so in tune with Windows, PowerShell security is crucial. You must prevent any malicious exploitation. As such, Microsoft put some safeguards in place. For example, PowerShell is subject to the same permissions and restrictions as GUI management tools. If a user lacks the authority to perform an administrative action through a GUI, he will not be able to perform the action in PowerShell, either.
Use execution policies for PowerShell security
Microsoft's main PowerShell security mechanisms are execution policies built into the command line itself. An execution policy's job is to maintain control over the execution of PowerShell scripts. For example, an administrator may wish to only allow scripts to execute if the scripts have been digitally signed.
From a Windows device, you can check the current execution policy setting by using the Get-ExecutionPolicy cmdlet. Similarly, you can use the Set-ExecutionPolicy cmdlet to assign an execution policy. For example, if you wanted to set the execution policy to Restricted, you would type: Set-ExecutionPolicy Restricted
Group Policy provides a better way
Although the cmdlet technique works, it is a manual process. As an alternative, you can use a Group Policy setting to configure the PowerShell execution policy. To do so:
- Open the Group Policy Editor.
- Navigate through the console tree by clicking Computer Configuration, then Administrative Templates, then Windows Components and finally Windows PowerShell.
- Double click on the policy setting called Turn on Script Execution. The Group Policy Editor will open the Turn on Script Execution policy setting.
- Choose the Enable option for this policy setting. Upon doing so, you will be given the option of assigning an execution policy. Your choices include: Allow Only Signed Scripts, Allow Local Scripts and Remote Signed Scripts, and Allow All Scripts.
How to use PowerShell in Exchange
Put PowerShell to work
Twenty-five PowerShell commands to know