Windows Vista Forums

Set-Executionpolicy RemoteSigned

  1. #1


    Larry__Weiss Guest

    Set-Executionpolicy RemoteSigned

    At

    http://www.microsoft.com/technet/scr...ionpolicy.mspx

    it says of

    Set-ExecutionPolicy RemoteSigned

    RemoteSigned Downloaded scripts must be signed by a trusted publisher
    before they can be run.

    How does PowerShell know that a script was downloaded?
    What does "downloaded" mean in this context?

    - Larry

      My System SpecsSystem Spec

  2. #2


    Josh Einstein Guest

    Re: Set-Executionpolicy RemoteSigned

    Microsoft has a convention for adding metadata to a file (through the use of
    NTFS alternate data streams I believe) that tag a file as having originated
    from the internet zone. For example, when Internet Explorer downloads a
    file, it attaches this metadata which is why you get the "always ask before
    launching this file" prompt when running an installer you downloaded from
    the internet but not one on a CD.

    Windows Live Messenger also adds this metadata for files received in IM
    conversations and I suspect FireFox 3.0 is probably doing it as well by now.
    When you right click a file that originated from the internet and click
    properties, you see a button that says "unblock" and that removes the
    metadata so the file is treated normally.

    It's kind of a hacky version of Unix's "execute" file attribute.

    Josh

    "Larry__Weiss" <lfw@xxxxxx> wrote in message
    news:#6LLUUBrJHA.1748@xxxxxx

    > At
    >
    > http://www.microsoft.com/technet/scr...ionpolicy.mspx
    >
    > it says of
    >
    > Set-ExecutionPolicy RemoteSigned
    >
    > RemoteSigned Downloaded scripts must be signed by a trusted publisher
    > before they can be run.
    >
    > How does PowerShell know that a script was downloaded?
    > What does "downloaded" mean in this context?
    >
    > - Larry

      My System SpecsSystem Spec

  3. #3


    Al Dunbar Guest

    Re: Set-Executionpolicy RemoteSigned


    "Josh Einstein" <josheinstein@xxxxxx> wrote in message
    news:1B025467-1C64-4860-ACB5-8684C18E8434@xxxxxx

    > Microsoft has a convention for adding metadata to a file (through the use
    > of NTFS alternate data streams I believe) that tag a file as having
    > originated from the internet zone.
    Thanks for the interesting and very plausible explanation. I have had some
    experience with ADS (alternate data streams), but in a different context.

    The key thing, though, is that they are an NTFS feature. If you copy a file
    containing ADS's from an NTFS volume to a FAT volume, the alternate streams
    are left behind, typically with a warning message.

    If downloaded files are detected by some ADS artifacts, then these should be
    removable by copying to a FAT volume and back again, or simply downloading
    to a FAT volume to start with. Anyone want to try it?

    /Al

    > For example, when Internet Explorer downloads a file, it attaches this
    > metadata which is why you get the "always ask before launching this file"
    > prompt when running an installer you downloaded from the internet but not
    > one on a CD.
    >
    > Windows Live Messenger also adds this metadata for files received in IM
    > conversations and I suspect FireFox 3.0 is probably doing it as well by
    > now. When you right click a file that originated from the internet and
    > click properties, you see a button that says "unblock" and that removes
    > the metadata so the file is treated normally.
    >
    > It's kind of a hacky version of Unix's "execute" file attribute.
    >
    > Josh
    >
    > "Larry__Weiss" <lfw@xxxxxx> wrote in message
    > news:#6LLUUBrJHA.1748@xxxxxx

    >> At
    >>
    >> http://www.microsoft.com/technet/scr...ionpolicy.mspx
    >>
    >> it says of
    >>
    >> Set-ExecutionPolicy RemoteSigned
    >>
    >> RemoteSigned Downloaded scripts must be signed by a trusted publisher
    >> before they can be run.
    >>
    >> How does PowerShell know that a script was downloaded?
    >> What does "downloaded" mean in this context?
    >>
    >> - Larry
    >


      My System SpecsSystem Spec

  4. #4


    Matthias Tacke Guest

    Re: Set-Executionpolicy RemoteSigned

    Al Dunbar wrote:

    > If downloaded files are detected by some ADS artifacts, then these should be
    > removable by copying to a FAT volume and back again, or simply downloading
    > to a FAT volume to start with. Anyone want to try it?
    >
    No need to copy, streams.exe from sysinternals can enumerate files with ads
    and also remove them.

    <http://technet.microsoft.com/en-us/sysinternals/bb897440.aspx>
    <http://download.sysinternals.com/Files/Streams.zip>

    Downloaded files have a stream "Zone.Identfier".
    You can view the content by appending the stream name to the file name,
    (Albeit it works here only when redirecting the input and only in cmd.exe)

    >Streams *
    ...
    k:\Winstall\Download\LogParser.msi:
    :Zone.Identifier:$DATA 26
    ...

    >more <"k:\Winstall\Download\LogParser.msi:Zone.Identifier"
    [ZoneTransfer]
    ZoneId=3

    Here are some articles sheding light on ADS:
    <http://www.flexhex.com/docs/articles/alternate-streams.phtml>
    <http://www.codeproject.com/KB/winsdk/AlternateDataStream.aspx>
    <http://www.codeproject.com/KB/files/ads.aspx>
    <http://www.sans.org/reading_room/whitepapers/honors/alternate_data_streams_out_of_the_shadows_and_into_the_light_1503>


    --
    HTH
    Matthias

      My System SpecsSystem Spec

  5. #5


    Larry__Weiss Guest

    Re: Set-Executionpolicy RemoteSigned

    So, if I download a script to a directory on a FAT32 volume,
    this protection is not enforced by PowerShell.exe ?

    (There is probably a better way to say that...)

    - Larry


    Josh Einstein wrote:

    > Microsoft has a convention for adding metadata to a file (through the
    > use of NTFS alternate data streams I believe) that tag a file as having
    > originated from the internet zone. For example, when Internet Explorer
    > downloads a file, it attaches this metadata which is why you get the
    > "always ask before launching this file" prompt when running an installer
    > you downloaded from the internet but not one on a CD.
    >
    > Windows Live Messenger also adds this metadata for files received in IM
    > conversations and I suspect FireFox 3.0 is probably doing it as well by
    > now. When you right click a file that originated from the internet and
    > click properties, you see a button that says "unblock" and that removes
    > the metadata so the file is treated normally.
    >
    > It's kind of a hacky version of Unix's "execute" file attribute.
    >
    >
    > "Larry__Weiss" <lfw@xxxxxx> wrote...

    >> At
    http://www.microsoft.com/technet/scr...ionpolicy.mspx

    >> it says of
    >> Set-ExecutionPolicy RemoteSigned
    >> RemoteSigned Downloaded scripts must be signed by a trusted publisher
    >> before they can be run.
    >> How does PowerShell know that a script was downloaded?
    >> What does "downloaded" mean in this context?
    >>

      My System SpecsSystem Spec

  6. #6


    Alex K. Angelopoulos Guest

    Re: Set-Executionpolicy RemoteSigned

    That's correct; PowerShell simply exploits this functionality as an extra
    layer of protection. The primary purpose of RemoteSigned, however, is to
    prevent remote load and execution across security domains. If you're trying
    to guarantee local integrity of files, the best option is to control the
    write permissions for the volume or enforce signing.

    Given the context, it sounds to me like the issue is that you're trying to
    create a secure flash drive with scripts for easy transport for on-site tech
    support. Is that what you're after?


    "Larry__Weiss" <lfw@xxxxxx> wrote in message
    news:#rG$LlJrJHA.5452@xxxxxx

    > So, if I download a script to a directory on a FAT32 volume,
    > this protection is not enforced by PowerShell.exe ?
    >
    > (There is probably a better way to say that...)
    >
    > - Larry
    >
    >
    > Josh Einstein wrote:

    >> Microsoft has a convention for adding metadata to a file (through the use
    >> of NTFS alternate data streams I believe) that tag a file as having
    >> originated from the internet zone. For example, when Internet Explorer
    >> downloads a file, it attaches this metadata which is why you get the
    >> "always ask before launching this file" prompt when running an installer
    >> you downloaded from the internet but not one on a CD.
    >>
    >> Windows Live Messenger also adds this metadata for files received in IM
    >> conversations and I suspect FireFox 3.0 is probably doing it as well by
    >> now. When you right click a file that originated from the internet and
    >> click properties, you see a button that says "unblock" and that removes
    >> the metadata so the file is treated normally.
    >>
    >> It's kind of a hacky version of Unix's "execute" file attribute.
    >>
    >>
    >> "Larry__Weiss" <lfw@xxxxxx> wrote...

    >>> At
    > http://www.microsoft.com/technet/scr...ionpolicy.mspx

    >>> it says of
    >>> Set-ExecutionPolicy RemoteSigned
    >>> RemoteSigned Downloaded scripts must be signed by a trusted publisher
    >>> before they can be run.
    >>> How does PowerShell know that a script was downloaded?
    >>> What does "downloaded" mean in this context?
    >>>

      My System SpecsSystem Spec

  7. #7


    Larry__Weiss Guest

    Re: Set-Executionpolicy RemoteSigned

    No.
    I'm just trying to understand the principles of operation involved with
    Set-ExecutionPolicy RemoteSigned

    I'm pretty sure I now understand how NTFS participates (and FAT32 doesn't).

    I don't understand what you mean by "remote load and execution".

    - Larry


    Alex K. Angelopoulos wrote:

    > That's correct; PowerShell simply exploits this functionality as an
    > extra layer of protection. The primary purpose of RemoteSigned, however,
    > is to prevent remote load and execution across security domains. If
    > you're trying to guarantee local integrity of files, the best option is
    > to control the write permissions for the volume or enforce signing.
    >
    > Given the context, it sounds to me like the issue is that you're trying
    > to create a secure flash drive with scripts for easy transport for
    > on-site tech support. Is that what you're after?
    >
    > "Larry__Weiss" <lfw@xxxxxx> wrote...

    >> So, if I download a script to a directory on a FAT32 volume,
    >> this protection is not enforced by PowerShell.exe ?
    >>
    >> Josh Einstein wrote:

    >>> Microsoft has a convention for adding metadata to a file (through the
    >>> use of NTFS alternate data streams I believe) that tag a file as
    >>> having originated from the internet zone. For example, when Internet
    >>> Explorer downloads a file, it attaches this metadata which is why you
    >>> get the "always ask before launching this file" prompt when running
    >>> an installer you downloaded from the internet but not one on a CD.
    >>>
    >>> Windows Live Messenger also adds this metadata for files received in
    >>> IM conversations and I suspect FireFox 3.0 is probably doing it as
    >>> well by now. When you right click a file that originated from the
    >>> internet and click properties, you see a button that says "unblock"
    >>> and that removes the metadata so the file is treated normally.
    >>>
    >>> It's kind of a hacky version of Unix's "execute" file attribute.
    >>>
    >>>
    >>> "Larry__Weiss" <lfw@xxxxxx> wrote...
    >>>> At
    >> http://www.microsoft.com/technet/scr...ionpolicy.mspx
    >>

    >>>> it says of
    >>>> Set-ExecutionPolicy RemoteSigned
    >>>> RemoteSigned Downloaded scripts must be signed by a trusted publisher
    >>>> before they can be run.
    >>>> How does PowerShell know that a script was downloaded?
    >>>> What does "downloaded" mean in this context?
    >>>>

      My System SpecsSystem Spec

  8. #8


    Alex K. Angelopoulos Guest

    Re: Set-Executionpolicy RemoteSigned

    the "remote execution" issue I mention is something in this kind of
    scenario. Suppose you have access to a share on a remote system on the same
    LAN, but it's in a separate security domain (for example, two peered
    workstations where you get cross-system access transparently by having
    accounts with the same name and password available on both systems). If you
    have RemoteSigned as the execution policy on Computer 1 and then try to run
    a PowerShell script that physically resides on a visible share on Computer
    2, I believe PowerShell squawks about it. I haven't tried that in quite a
    while and don't have a VM here to test it, so I may not remember this
    precisely...

    "Larry__Weiss" <lfw@xxxxxx> wrote in message
    news:e6XDD#MrJHA.4364@xxxxxx

    > No.
    > I'm just trying to understand the principles of operation involved with
    > Set-ExecutionPolicy RemoteSigned
    >
    > I'm pretty sure I now understand how NTFS participates (and FAT32
    > doesn't).
    >
    > I don't understand what you mean by "remote load and execution".
    >
    > - Larry
    >
    >
    > Alex K. Angelopoulos wrote:

    >> That's correct; PowerShell simply exploits this functionality as an extra
    >> layer of protection. The primary purpose of RemoteSigned, however, is to
    >> prevent remote load and execution across security domains. If you're
    >> trying to guarantee local integrity of files, the best option is to
    >> control the write permissions for the volume or enforce signing.
    >>
    >> Given the context, it sounds to me like the issue is that you're trying
    >> to create a secure flash drive with scripts for easy transport for
    >> on-site tech support. Is that what you're after?
    >>
    >> "Larry__Weiss" <lfw@xxxxxx> wrote...

    >>> So, if I download a script to a directory on a FAT32 volume,
    >>> this protection is not enforced by PowerShell.exe ?
    >>>
    >>> Josh Einstein wrote:
    >>>> Microsoft has a convention for adding metadata to a file (through the
    >>>> use of NTFS alternate data streams I believe) that tag a file as having
    >>>> originated from the internet zone. For example, when Internet Explorer
    >>>> downloads a file, it attaches this metadata which is why you get the
    >>>> "always ask before launching this file" prompt when running an
    >>>> installer you downloaded from the internet but not one on a CD.
    >>>>
    >>>> Windows Live Messenger also adds this metadata for files received in IM
    >>>> conversations and I suspect FireFox 3.0 is probably doing it as well by
    >>>> now. When you right click a file that originated from the internet and
    >>>> click properties, you see a button that says "unblock" and that removes
    >>>> the metadata so the file is treated normally.
    >>>>
    >>>> It's kind of a hacky version of Unix's "execute" file attribute.
    >>>>
    >>>>
    >>>> "Larry__Weiss" <lfw@xxxxxx> wrote...
    >>>>> At
    >>> http://www.microsoft.com/technet/scr...ionpolicy.mspx
    >>>>> it says of
    >>>>> Set-ExecutionPolicy RemoteSigned
    >>>>> RemoteSigned Downloaded scripts must be signed by a trusted
    >>>>> publisher
    >>>>> before they can be run.
    >>>>> How does PowerShell know that a script was downloaded?
    >>>>> What does "downloaded" mean in this context?
    >>>>>

      My System SpecsSystem Spec

  9. #9


    RickB Guest

    Re: Set-Executionpolicy RemoteSigned

    This really opened a can of worms for me.
    I was going to try to do some experiments along these lines.
    By default all machines here use AllSigned.
    So I had to temporarily set RemoteSigned.
    When I tried to do it I got this message.

    Set-ExecutionPolicy : Windows PowerShell updated your execution policy
    successfully, but the setting is overridden by a policy defined at a
    more specific scope. Due to the override, your shell will retain its
    current e
    ffective execution policy of "AllSigned". For more information, please
    see "Get-Help Set-ExecutionPolicy."

    The help only mentions VISTA as needing any extra effort to change the
    policy.
    I'm an admin on this XP box.
    The policy was set back when I was running V1 but now I've got CTP3
    installed and I can't seem to change the policy.

    What do I need to do? There is no 'run as admin' in XP.

    Alex K. Angelopoulos at wrote:

    > the "remote execution" issue I mention is something in this kind of
    > scenario. Suppose you have access to a share on a remote system on the same
    > LAN, but it's in a separate security domain (for example, two peered
    > workstations where you get cross-system access transparently by having
    > accounts with the same name and password available on both systems). If you
    > have RemoteSigned as the execution policy on Computer 1 and then try to run
    > a PowerShell script that physically resides on a visible share on Computer
    > 2, I believe PowerShell squawks about it. I haven't tried that in quite a
    > while and don't have a VM here to test it, so I may not remember this
    > precisely...
    >
    > "Larry__Weiss" <lfw@xxxxxx> wrote in message
    > news:e6XDD#MrJHA.4364@xxxxxx

    > > No.
    > > I'm just trying to understand the principles of operation involved with
    > > Set-ExecutionPolicy RemoteSigned
    > >
    > > I'm pretty sure I now understand how NTFS participates (and FAT32
    > > doesn't).
    > >
    > > I don't understand what you mean by "remote load and execution".
    > >
    > > - Larry
    > >
    > >
    > > Alex K. Angelopoulos wrote:

    > >> That's correct; PowerShell simply exploits this functionality as an extra
    > >> layer of protection. The primary purpose of RemoteSigned, however, is to
    > >> prevent remote load and execution across security domains. If you're
    > >> trying to guarantee local integrity of files, the best option is to
    > >> control the write permissions for the volume or enforce signing.
    > >>
    > >> Given the context, it sounds to me like the issue is that you're trying
    > >> to create a secure flash drive with scripts for easy transport for
    > >> on-site tech support. Is that what you're after?
    > >>
    > >> "Larry__Weiss" <lfw@xxxxxx> wrote...
    > >>> So, if I download a script to a directory on a FAT32 volume,
    > >>> this protection is not enforced by PowerShell.exe ?
    > >>>
    > >>> Josh Einstein wrote:
    > >>>> Microsoft has a convention for adding metadata to a file (through the
    > >>>> use of NTFS alternate data streams I believe) that tag a file as having
    > >>>> originated from the internet zone. For example, when Internet Explorer
    > >>>> downloads a file, it attaches this metadata which is why you get the
    > >>>> "always ask before launching this file" prompt when running an
    > >>>> installer you downloaded from the internet but not one on a CD.
    > >>>>
    > >>>> Windows Live Messenger also adds this metadata for files received inIM
    > >>>> conversations and I suspect FireFox 3.0 is probably doing it as wellby
    > >>>> now. When you right click a file that originated from the internet and
    > >>>> click properties, you see a button that says "unblock" and that removes
    > >>>> the metadata so the file is treated normally.
    > >>>>
    > >>>> It's kind of a hacky version of Unix's "execute" file attribute.
    > >>>>
    > >>>>
    > >>>> "Larry__Weiss" <lfw@xxxxxx> wrote...
    > >>>>> At
    > >>> http://www.microsoft.com/technet/scr...ionpolicy.mspx
    > >>>>> it says of
    > >>>>> Set-ExecutionPolicy RemoteSigned
    > >>>>> RemoteSigned � Downloaded scripts must be signed by a trusted
    > >>>>> publisher
    > >>>>> before they can be run.
    > >>>>> How does PowerShell know that a script was downloaded?
    > >>>>> What does "downloaded" mean in this context?
    > >>>>>

      My System SpecsSystem Spec

  10. #10


    Josh Einstein Guest

    Re: Set-Executionpolicy RemoteSigned

    According to the help, this is because of a group policy setting:

    "However, if the "Turn on Script Execution" Group Policy is enabled for the
    computer or user, the user preference is written to the registry, but it is
    not
    effective, and Windows PowerShell displays a message explaining the
    conflict.
    You cannot use Set-ExecutionPolicy to override a group policy, even if the
    user
    preference is more restrictive than the policy."

    "RickB" <rbielaws@xxxxxx> wrote in message
    news:73f8809b-4cdb-490b-b04e-3d96a1c542dc@xxxxxx

    > This really opened a can of worms for me.
    > I was going to try to do some experiments along these lines.
    > By default all machines here use AllSigned.
    > So I had to temporarily set RemoteSigned.
    > When I tried to do it I got this message.
    >
    > Set-ExecutionPolicy : Windows PowerShell updated your execution policy
    > successfully, but the setting is overridden by a policy defined at a
    > more specific scope. Due to the override, your shell will retain its
    > current e
    > ffective execution policy of "AllSigned". For more information, please
    > see "Get-Help Set-ExecutionPolicy."
    >
    > The help only mentions VISTA as needing any extra effort to change the
    > policy.
    > I'm an admin on this XP box.
    > The policy was set back when I was running V1 but now I've got CTP3
    > installed and I can't seem to change the policy.
    >
    > What do I need to do? There is no 'run as admin' in XP.
    >
    > Alex K. Angelopoulos at wrote:

    >> the "remote execution" issue I mention is something in this kind of
    >> scenario. Suppose you have access to a share on a remote system on the
    >> same
    >> LAN, but it's in a separate security domain (for example, two peered
    >> workstations where you get cross-system access transparently by having
    >> accounts with the same name and password available on both systems). If
    >> you
    >> have RemoteSigned as the execution policy on Computer 1 and then try to
    >> run
    >> a PowerShell script that physically resides on a visible share on
    >> Computer
    >> 2, I believe PowerShell squawks about it. I haven't tried that in quite a
    >> while and don't have a VM here to test it, so I may not remember this
    >> precisely...
    >>
    >> "Larry__Weiss" <lfw@xxxxxx> wrote in message
    >> news:e6XDD#MrJHA.4364@xxxxxx

    >> > No.
    >> > I'm just trying to understand the principles of operation involved with
    >> > Set-ExecutionPolicy RemoteSigned
    >> >
    >> > I'm pretty sure I now understand how NTFS participates (and FAT32
    >> > doesn't).
    >> >
    >> > I don't understand what you mean by "remote load and execution".
    >> >
    >> > - Larry
    >> >
    >> >
    >> > Alex K. Angelopoulos wrote:
    >> >> That's correct; PowerShell simply exploits this functionality as an
    >> >> extra
    >> >> layer of protection. The primary purpose of RemoteSigned, however, is
    >> >> to
    >> >> prevent remote load and execution across security domains. If you're
    >> >> trying to guarantee local integrity of files, the best option is to
    >> >> control the write permissions for the volume or enforce signing.
    >> >>
    >> >> Given the context, it sounds to me like the issue is that you're
    >> >> trying
    >> >> to create a secure flash drive with scripts for easy transport for
    >> >> on-site tech support. Is that what you're after?
    >> >>
    >> >> "Larry__Weiss" <lfw@xxxxxx> wrote...
    >> >>> So, if I download a script to a directory on a FAT32 volume,
    >> >>> this protection is not enforced by PowerShell.exe ?
    >> >>>
    >> >>> Josh Einstein wrote:
    >> >>>> Microsoft has a convention for adding metadata to a file (through
    >> >>>> the
    >> >>>> use of NTFS alternate data streams I believe) that tag a file as
    >> >>>> having
    >> >>>> originated from the internet zone. For example, when Internet
    >> >>>> Explorer
    >> >>>> downloads a file, it attaches this metadata which is why you get the
    >> >>>> "always ask before launching this file" prompt when running an
    >> >>>> installer you downloaded from the internet but not one on a CD.
    >> >>>>
    >> >>>> Windows Live Messenger also adds this metadata for files received in
    >> >>>> IM
    >> >>>> conversations and I suspect FireFox 3.0 is probably doing it as well
    >> >>>> by
    >> >>>> now. When you right click a file that originated from the internet
    >> >>>> and
    >> >>>> click properties, you see a button that says "unblock" and that
    >> >>>> removes
    >> >>>> the metadata so the file is treated normally.
    >> >>>>
    >> >>>> It's kind of a hacky version of Unix's "execute" file attribute.
    >> >>>>
    >> >>>>
    >> >>>> "Larry__Weiss" <lfw@xxxxxx> wrote...
    >> >>>>> At
    >> >>> http://www.microsoft.com/technet/scr...ionpolicy.mspx
    >> >>>>> it says of
    >> >>>>> Set-ExecutionPolicy RemoteSigned
    >> >>>>> RemoteSigned � Downloaded scripts must be signed by a trusted
    >> >>>>> publisher
    >> >>>>> before they can be run.
    >> >>>>> How does PowerShell know that a script was downloaded?
    >> >>>>> What does "downloaded" mean in this context?
    >> >>>>>

      My System SpecsSystem Spec


Set-Executionpolicy RemoteSigned
Similar Threads
Thread Forum
How to set-executionpolicy from script ? PowerShell
RemoteSigned execution policy... PowerShell
set-executionpolicy PowerShell
Set-ExecutionPolicy Unrestricted PowerShell
PowerShell checking signature of a local file when execution policyis RemoteSigned PowerShell