Vista and script security/signing

I followed the directions on setting up the Powershell GUI Help and my
profile won't execute. It seems that on Vista the default is that no scripts
run. OK, I kind of understand this. However, the other modes of operation
don't seem to match what I'd like to do and I certainly don't wan to have to
screw aroun d with signing simple utility scripts.

Is there a way to run restricted and then have a prompt to approve each
script execution. I *hate* the idea of "trusted" script providers. Even a
trusted provider cna be compromised and also I may not want to run a script,
even though it comes from a trusted provider. Is there a way to make a
scripot as "OK", on a script by script basis?

The settings for execution polict apply across all versions of PowerShell.

if your execution policy is set to Restricted - no scripts will run at all.

Best compromise for you is RemoteSigned I think
--
Richard Siddaway
Please note that all scripts are supplied "as is" and with no warranty
Blog: http://richardsiddaway.spaces.live.com/
PowerShell User Group: http://www.get-psuguk.org.uk


"P Cause" wrote:

> I followed the directions on setting up the Powershell GUI Help and my
> profile won't execute. It seems that on Vista the default is that no scripts
> run. OK, I kind of understand this. However, the other modes of operation
> don't seem to match what I'd like to do and I certainly don't wan to have to
> screw aroun d with signing simple utility scripts.
>
> Is there a way to run restricted and then have a prompt to approve each
> script execution. I *hate* the idea of "trusted" script providers. Even a
> trusted provider cna be compromised and also I may not want to run a script,
> even though it comes from a trusted provider. Is there a way to make a
> scripot as "OK", on a script by script basis?

In message <00E75C61-DDB8-4659-8A27-A6E09A76C90C@microsoft.com>, P Cause
<PCause@discussions.microsoft.com> writes
>I followed the directions on setting up the Powershell GUI Help and my
>profile won't execute. It seems that on Vista the default is that no scripts
>run.

The default execution policy is "Restricted".

>OK, I kind of understand this.

It's MS's security paranoia. It's a PITA, but it makes sense when you
allow yourself to be as paranoid as MS probably has to be these days.
Paraphrasign the old chestnut: even if MS was not being paranoid, there
would still be hackers out to get them! :-)

But seriously - there is a good security story here. PowerShell, like
any scripting tool, can do great damage when used badly. The barriers MS
puts up help to ensure that PowerShell scripts only run when the admin
really, really makes the effort!

> However, the other modes of operation
>don't seem to match what I'd like to do and I certainly don't wan to have to
>screw aroun d with signing simple utility scripts.

You can continue to run restricted - that way no scripts run. The other
settings are:

unrestricted - all scripts run
remotesigned - all local scripts run, scripts you download from other
systems must be signed
allsigned - all scritps that are signed run, others don't.


>Is there a way to run restricted and then have a prompt to approve each
>script execution.

No.

> I *hate* the idea of "trusted" script providers. Even a
>trusted provider cna be compromised and also I may not want to run a script,
>even though it comes from a trusted provider. Is there a way to make a
>scripot as "OK", on a script by script basis?

Set your policy to unrestricted and only run scripts you know and trust.

Not sure if this is really the answer you want, but it's the best I can
find.

Thomas

--
Thomas Lee
doctordns@gmail.com
MVP - Admin Frameworks and Security