• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Set-Executionpolicy RemoteSigned

J

Josh Einstein

#2
Microsoft has a convention for adding metadata to a file (through the use of
NTFS alternate data streams I believe) that tag a file as having originated
from the internet zone. For example, when Internet Explorer downloads a
file, it attaches this metadata which is why you get the "always ask before
launching this file" prompt when running an installer you downloaded from
the internet but not one on a CD.

Windows Live Messenger also adds this metadata for files received in IM
conversations and I suspect FireFox 3.0 is probably doing it as well by now.
When you right click a file that originated from the internet and click
properties, you see a button that says "unblock" and that removes the
metadata so the file is treated normally.

It's kind of a hacky version of Unix's "execute" file attribute.

Josh

"Larry__Weiss" <lfw@xxxxxx> wrote in message
news:#6LLUUBrJHA.1748@xxxxxx

> At
>
> http://www.microsoft.com/technet/scriptcenter/topics/msh/cmdlets/set-executionpolicy.mspx
>
> it says of
>
> Set-ExecutionPolicy RemoteSigned
>
> RemoteSigned – Downloaded scripts must be signed by a trusted publisher
> before they can be run.
>
> How does PowerShell know that a script was downloaded?
> What does "downloaded" mean in this context?
>
> - Larry
 

My Computer

A

Al Dunbar

#3
"Josh Einstein" <josheinstein@xxxxxx> wrote in message
news:1B025467-1C64-4860-ACB5-8684C18E8434@xxxxxx

> Microsoft has a convention for adding metadata to a file (through the use
> of NTFS alternate data streams I believe) that tag a file as having
> originated from the internet zone.
Thanks for the interesting and very plausible explanation. I have had some
experience with ADS (alternate data streams), but in a different context.

The key thing, though, is that they are an NTFS feature. If you copy a file
containing ADS's from an NTFS volume to a FAT volume, the alternate streams
are left behind, typically with a warning message.

If downloaded files are detected by some ADS artifacts, then these should be
removable by copying to a FAT volume and back again, or simply downloading
to a FAT volume to start with. Anyone want to try it?

/Al

> For example, when Internet Explorer downloads a file, it attaches this
> metadata which is why you get the "always ask before launching this file"
> prompt when running an installer you downloaded from the internet but not
> one on a CD.
>
> Windows Live Messenger also adds this metadata for files received in IM
> conversations and I suspect FireFox 3.0 is probably doing it as well by
> now. When you right click a file that originated from the internet and
> click properties, you see a button that says "unblock" and that removes
> the metadata so the file is treated normally.
>
> It's kind of a hacky version of Unix's "execute" file attribute.
>
> Josh
>
> "Larry__Weiss" <lfw@xxxxxx> wrote in message
> news:#6LLUUBrJHA.1748@xxxxxx

>> At
>>
>> http://www.microsoft.com/technet/scriptcenter/topics/msh/cmdlets/set-executionpolicy.mspx
>>
>> it says of
>>
>> Set-ExecutionPolicy RemoteSigned
>>
>> RemoteSigned – Downloaded scripts must be signed by a trusted publisher
>> before they can be run.
>>
>> How does PowerShell know that a script was downloaded?
>> What does "downloaded" mean in this context?
>>
>> - Larry
>
 

My Computer

M

Matthias Tacke

#4
Al Dunbar wrote:

> If downloaded files are detected by some ADS artifacts, then these should be
> removable by copying to a FAT volume and back again, or simply downloading
> to a FAT volume to start with. Anyone want to try it?
>
No need to copy, streams.exe from sysinternals can enumerate files with ads
and also remove them.

<http://technet.microsoft.com/en-us/sysinternals/bb897440.aspx>
<http://download.sysinternals.com/Files/Streams.zip>

Downloaded files have a stream "Zone.Identfier".
You can view the content by appending the stream name to the file name,
(Albeit it works here only when redirecting the input and only in cmd.exe)

>Streams *
...
k:\Winstall\Download\LogParser.msi:
:Zone.Identifier:$DATA 26
...

>more <"k:\Winstall\Download\LogParser.msi:Zone.Identifier"
[ZoneTransfer]
ZoneId=3

Here are some articles sheding light on ADS:
<http://www.flexhex.com/docs/articles/alternate-streams.phtml>
<http://www.codeproject.com/KB/winsdk/AlternateDataStream.aspx>
<http://www.codeproject.com/KB/files/ads.aspx>
<http://www.sans.org/reading_room/whitepapers/honors/alternate_data_streams_out_of_the_shadows_and_into_the_light_1503>


--
HTH
Matthias
 

My Computer

L

Larry__Weiss

#5
So, if I download a script to a directory on a FAT32 volume,
this protection is not enforced by PowerShell.exe ?

(There is probably a better way to say that...)

- Larry


Josh Einstein wrote:

> Microsoft has a convention for adding metadata to a file (through the
> use of NTFS alternate data streams I believe) that tag a file as having
> originated from the internet zone. For example, when Internet Explorer
> downloads a file, it attaches this metadata which is why you get the
> "always ask before launching this file" prompt when running an installer
> you downloaded from the internet but not one on a CD.
>
> Windows Live Messenger also adds this metadata for files received in IM
> conversations and I suspect FireFox 3.0 is probably doing it as well by
> now. When you right click a file that originated from the internet and
> click properties, you see a button that says "unblock" and that removes
> the metadata so the file is treated normally.
>
> It's kind of a hacky version of Unix's "execute" file attribute.
>
>
> "Larry__Weiss" <lfw@xxxxxx> wrote...
http://www.microsoft.com/technet/scriptcenter/topics/msh/cmdlets/set-executionpolicy.mspx

>> it says of
>> Set-ExecutionPolicy RemoteSigned
>> RemoteSigned – Downloaded scripts must be signed by a trusted publisher
>> before they can be run.
>> How does PowerShell know that a script was downloaded?
>> What does "downloaded" mean in this context?
>>
 

My Computer

A

Alex K. Angelopoulos

#6
That's correct; PowerShell simply exploits this functionality as an extra
layer of protection. The primary purpose of RemoteSigned, however, is to
prevent remote load and execution across security domains. If you're trying
to guarantee local integrity of files, the best option is to control the
write permissions for the volume or enforce signing.

Given the context, it sounds to me like the issue is that you're trying to
create a secure flash drive with scripts for easy transport for on-site tech
support. Is that what you're after?


"Larry__Weiss" <lfw@xxxxxx> wrote in message
news:#rG$LlJrJHA.5452@xxxxxx

> So, if I download a script to a directory on a FAT32 volume,
> this protection is not enforced by PowerShell.exe ?
>
> (There is probably a better way to say that...)
>
> - Larry
>
>
> Josh Einstein wrote:

>> Microsoft has a convention for adding metadata to a file (through the use
>> of NTFS alternate data streams I believe) that tag a file as having
>> originated from the internet zone. For example, when Internet Explorer
>> downloads a file, it attaches this metadata which is why you get the
>> "always ask before launching this file" prompt when running an installer
>> you downloaded from the internet but not one on a CD.
>>
>> Windows Live Messenger also adds this metadata for files received in IM
>> conversations and I suspect FireFox 3.0 is probably doing it as well by
>> now. When you right click a file that originated from the internet and
>> click properties, you see a button that says "unblock" and that removes
>> the metadata so the file is treated normally.
>>
>> It's kind of a hacky version of Unix's "execute" file attribute.
>>
>>
>> "Larry__Weiss" <lfw@xxxxxx> wrote...
> http://www.microsoft.com/technet/scriptcenter/topics/msh/cmdlets/set-executionpolicy.mspx

>>> it says of
>>> Set-ExecutionPolicy RemoteSigned
>>> RemoteSigned – Downloaded scripts must be signed by a trusted publisher
>>> before they can be run.
>>> How does PowerShell know that a script was downloaded?
>>> What does "downloaded" mean in this context?
>>>
 

My Computer

L

Larry__Weiss

#7
No.
I'm just trying to understand the principles of operation involved with
Set-ExecutionPolicy RemoteSigned

I'm pretty sure I now understand how NTFS participates (and FAT32 doesn't).

I don't understand what you mean by "remote load and execution".

- Larry


Alex K. Angelopoulos wrote:

> That's correct; PowerShell simply exploits this functionality as an
> extra layer of protection. The primary purpose of RemoteSigned, however,
> is to prevent remote load and execution across security domains. If
> you're trying to guarantee local integrity of files, the best option is
> to control the write permissions for the volume or enforce signing.
>
> Given the context, it sounds to me like the issue is that you're trying
> to create a secure flash drive with scripts for easy transport for
> on-site tech support. Is that what you're after?
>
> "Larry__Weiss" <lfw@xxxxxx> wrote...

>> So, if I download a script to a directory on a FAT32 volume,
>> this protection is not enforced by PowerShell.exe ?
>>
>> Josh Einstein wrote:

>>> Microsoft has a convention for adding metadata to a file (through the
>>> use of NTFS alternate data streams I believe) that tag a file as
>>> having originated from the internet zone. For example, when Internet
>>> Explorer downloads a file, it attaches this metadata which is why you
>>> get the "always ask before launching this file" prompt when running
>>> an installer you downloaded from the internet but not one on a CD.
>>>
>>> Windows Live Messenger also adds this metadata for files received in
>>> IM conversations and I suspect FireFox 3.0 is probably doing it as
>>> well by now. When you right click a file that originated from the
>>> internet and click properties, you see a button that says "unblock"
>>> and that removes the metadata so the file is treated normally.
>>>
>>> It's kind of a hacky version of Unix's "execute" file attribute.
>>>
>>>
>>> "Larry__Weiss" <lfw@xxxxxx> wrote...
>>>> At
>> http://www.microsoft.com/technet/scriptcenter/topics/msh/cmdlets/set-executionpolicy.mspx
>>

>>>> it says of
>>>> Set-ExecutionPolicy RemoteSigned
>>>> RemoteSigned – Downloaded scripts must be signed by a trusted publisher
>>>> before they can be run.
>>>> How does PowerShell know that a script was downloaded?
>>>> What does "downloaded" mean in this context?
>>>>
 

My Computer

A

Alex K. Angelopoulos

#8
the "remote execution" issue I mention is something in this kind of
scenario. Suppose you have access to a share on a remote system on the same
LAN, but it's in a separate security domain (for example, two peered
workstations where you get cross-system access transparently by having
accounts with the same name and password available on both systems). If you
have RemoteSigned as the execution policy on Computer 1 and then try to run
a PowerShell script that physically resides on a visible share on Computer
2, I believe PowerShell squawks about it. I haven't tried that in quite a
while and don't have a VM here to test it, so I may not remember this
precisely...

"Larry__Weiss" <lfw@xxxxxx> wrote in message
news:e6XDD#MrJHA.4364@xxxxxx

> No.
> I'm just trying to understand the principles of operation involved with
> Set-ExecutionPolicy RemoteSigned
>
> I'm pretty sure I now understand how NTFS participates (and FAT32
> doesn't).
>
> I don't understand what you mean by "remote load and execution".
>
> - Larry
>
>
> Alex K. Angelopoulos wrote:

>> That's correct; PowerShell simply exploits this functionality as an extra
>> layer of protection. The primary purpose of RemoteSigned, however, is to
>> prevent remote load and execution across security domains. If you're
>> trying to guarantee local integrity of files, the best option is to
>> control the write permissions for the volume or enforce signing.
>>
>> Given the context, it sounds to me like the issue is that you're trying
>> to create a secure flash drive with scripts for easy transport for
>> on-site tech support. Is that what you're after?
>>
>> "Larry__Weiss" <lfw@xxxxxx> wrote...

>>> So, if I download a script to a directory on a FAT32 volume,
>>> this protection is not enforced by PowerShell.exe ?
>>>
>>> Josh Einstein wrote:
>>>> Microsoft has a convention for adding metadata to a file (through the
>>>> use of NTFS alternate data streams I believe) that tag a file as having
>>>> originated from the internet zone. For example, when Internet Explorer
>>>> downloads a file, it attaches this metadata which is why you get the
>>>> "always ask before launching this file" prompt when running an
>>>> installer you downloaded from the internet but not one on a CD.
>>>>
>>>> Windows Live Messenger also adds this metadata for files received in IM
>>>> conversations and I suspect FireFox 3.0 is probably doing it as well by
>>>> now. When you right click a file that originated from the internet and
>>>> click properties, you see a button that says "unblock" and that removes
>>>> the metadata so the file is treated normally.
>>>>
>>>> It's kind of a hacky version of Unix's "execute" file attribute.
>>>>
>>>>
>>>> "Larry__Weiss" <lfw@xxxxxx> wrote...
>>>>> At
>>> http://www.microsoft.com/technet/scriptcenter/topics/msh/cmdlets/set-executionpolicy.mspx
>>>>> it says of
>>>>> Set-ExecutionPolicy RemoteSigned
>>>>> RemoteSigned – Downloaded scripts must be signed by a trusted
>>>>> publisher
>>>>> before they can be run.
>>>>> How does PowerShell know that a script was downloaded?
>>>>> What does "downloaded" mean in this context?
>>>>>
 

My Computer

R

RickB

#9
This really opened a can of worms for me.
I was going to try to do some experiments along these lines.
By default all machines here use AllSigned.
So I had to temporarily set RemoteSigned.
When I tried to do it I got this message.

Set-ExecutionPolicy : Windows PowerShell updated your execution policy
successfully, but the setting is overridden by a policy defined at a
more specific scope. Due to the override, your shell will retain its
current e
ffective execution policy of "AllSigned". For more information, please
see "Get-Help Set-ExecutionPolicy."

The help only mentions VISTA as needing any extra effort to change the
policy.
I'm an admin on this XP box.
The policy was set back when I was running V1 but now I've got CTP3
installed and I can't seem to change the policy.

What do I need to do? There is no 'run as admin' in XP.

Alex K. Angelopoulos at wrote:

> the "remote execution" issue I mention is something in this kind of
> scenario. Suppose you have access to a share on a remote system on the same
> LAN, but it's in a separate security domain (for example, two peered
> workstations where you get cross-system access transparently by having
> accounts with the same name and password available on both systems). If you
> have RemoteSigned as the execution policy on Computer 1 and then try to run
> a PowerShell script that physically resides on a visible share on Computer
> 2, I believe PowerShell squawks about it. I haven't tried that in quite a
> while and don't have a VM here to test it, so I may not remember this
> precisely...
>
> "Larry__Weiss" <lfw@xxxxxx> wrote in message
> news:e6XDD#MrJHA.4364@xxxxxx

> > No.
> > I'm just trying to understand the principles of operation involved with
> > Set-ExecutionPolicy RemoteSigned
> >
> > I'm pretty sure I now understand how NTFS participates (and FAT32
> > doesn't).
> >
> > I don't understand what you mean by "remote load and execution".
> >
> > - Larry
> >
> >
> > Alex K. Angelopoulos wrote:

> >> That's correct; PowerShell simply exploits this functionality as an extra
> >> layer of protection. The primary purpose of RemoteSigned, however, is to
> >> prevent remote load and execution across security domains. If you're
> >> trying to guarantee local integrity of files, the best option is to
> >> control the write permissions for the volume or enforce signing.
> >>
> >> Given the context, it sounds to me like the issue is that you're trying
> >> to create a secure flash drive with scripts for easy transport for
> >> on-site tech support. Is that what you're after?
> >>
> >> "Larry__Weiss" <lfw@xxxxxx> wrote...
> >>> So, if I download a script to a directory on a FAT32 volume,
> >>> this protection is not enforced by PowerShell.exe ?
> >>>
> >>> Josh Einstein wrote:
> >>>> Microsoft has a convention for adding metadata to a file (through the
> >>>> use of NTFS alternate data streams I believe) that tag a file as having
> >>>> originated from the internet zone. For example, when Internet Explorer
> >>>> downloads a file, it attaches this metadata which is why you get the
> >>>> "always ask before launching this file" prompt when running an
> >>>> installer you downloaded from the internet but not one on a CD.
> >>>>
> >>>> Windows Live Messenger also adds this metadata for files received inIM
> >>>> conversations and I suspect FireFox 3.0 is probably doing it as wellby
> >>>> now. When you right click a file that originated from the internet and
> >>>> click properties, you see a button that says "unblock" and that removes
> >>>> the metadata so the file is treated normally.
> >>>>
> >>>> It's kind of a hacky version of Unix's "execute" file attribute.
> >>>>
> >>>>
> >>>> "Larry__Weiss" <lfw@xxxxxx> wrote...
> >>>>> At
> >>> http://www.microsoft.com/technet/scriptcenter/topics/msh/cmdlets/set-executionpolicy.mspx
> >>>>> it says of
> >>>>> Set-ExecutionPolicy RemoteSigned
> >>>>> RemoteSigned � Downloaded scripts must be signed by a trusted
> >>>>> publisher
> >>>>> before they can be run.
> >>>>> How does PowerShell know that a script was downloaded?
> >>>>> What does "downloaded" mean in this context?
> >>>>>
 

My Computer

J

Josh Einstein

#10
According to the help, this is because of a group policy setting:

"However, if the "Turn on Script Execution" Group Policy is enabled for the
computer or user, the user preference is written to the registry, but it is
not
effective, and Windows PowerShell displays a message explaining the
conflict.
You cannot use Set-ExecutionPolicy to override a group policy, even if the
user
preference is more restrictive than the policy."

"RickB" <rbielaws@xxxxxx> wrote in message
news:73f8809b-4cdb-490b-b04e-3d96a1c542dc@xxxxxx

> This really opened a can of worms for me.
> I was going to try to do some experiments along these lines.
> By default all machines here use AllSigned.
> So I had to temporarily set RemoteSigned.
> When I tried to do it I got this message.
>
> Set-ExecutionPolicy : Windows PowerShell updated your execution policy
> successfully, but the setting is overridden by a policy defined at a
> more specific scope. Due to the override, your shell will retain its
> current e
> ffective execution policy of "AllSigned". For more information, please
> see "Get-Help Set-ExecutionPolicy."
>
> The help only mentions VISTA as needing any extra effort to change the
> policy.
> I'm an admin on this XP box.
> The policy was set back when I was running V1 but now I've got CTP3
> installed and I can't seem to change the policy.
>
> What do I need to do? There is no 'run as admin' in XP.
>
> Alex K. Angelopoulos at wrote:

>> the "remote execution" issue I mention is something in this kind of
>> scenario. Suppose you have access to a share on a remote system on the
>> same
>> LAN, but it's in a separate security domain (for example, two peered
>> workstations where you get cross-system access transparently by having
>> accounts with the same name and password available on both systems). If
>> you
>> have RemoteSigned as the execution policy on Computer 1 and then try to
>> run
>> a PowerShell script that physically resides on a visible share on
>> Computer
>> 2, I believe PowerShell squawks about it. I haven't tried that in quite a
>> while and don't have a VM here to test it, so I may not remember this
>> precisely...
>>
>> "Larry__Weiss" <lfw@xxxxxx> wrote in message
>> news:e6XDD#MrJHA.4364@xxxxxx

>> > No.
>> > I'm just trying to understand the principles of operation involved with
>> > Set-ExecutionPolicy RemoteSigned
>> >
>> > I'm pretty sure I now understand how NTFS participates (and FAT32
>> > doesn't).
>> >
>> > I don't understand what you mean by "remote load and execution".
>> >
>> > - Larry
>> >
>> >
>> > Alex K. Angelopoulos wrote:
>> >> That's correct; PowerShell simply exploits this functionality as an
>> >> extra
>> >> layer of protection. The primary purpose of RemoteSigned, however, is
>> >> to
>> >> prevent remote load and execution across security domains. If you're
>> >> trying to guarantee local integrity of files, the best option is to
>> >> control the write permissions for the volume or enforce signing.
>> >>
>> >> Given the context, it sounds to me like the issue is that you're
>> >> trying
>> >> to create a secure flash drive with scripts for easy transport for
>> >> on-site tech support. Is that what you're after?
>> >>
>> >> "Larry__Weiss" <lfw@xxxxxx> wrote...
>> >>> So, if I download a script to a directory on a FAT32 volume,
>> >>> this protection is not enforced by PowerShell.exe ?
>> >>>
>> >>> Josh Einstein wrote:
>> >>>> Microsoft has a convention for adding metadata to a file (through
>> >>>> the
>> >>>> use of NTFS alternate data streams I believe) that tag a file as
>> >>>> having
>> >>>> originated from the internet zone. For example, when Internet
>> >>>> Explorer
>> >>>> downloads a file, it attaches this metadata which is why you get the
>> >>>> "always ask before launching this file" prompt when running an
>> >>>> installer you downloaded from the internet but not one on a CD.
>> >>>>
>> >>>> Windows Live Messenger also adds this metadata for files received in
>> >>>> IM
>> >>>> conversations and I suspect FireFox 3.0 is probably doing it as well
>> >>>> by
>> >>>> now. When you right click a file that originated from the internet
>> >>>> and
>> >>>> click properties, you see a button that says "unblock" and that
>> >>>> removes
>> >>>> the metadata so the file is treated normally.
>> >>>>
>> >>>> It's kind of a hacky version of Unix's "execute" file attribute.
>> >>>>
>> >>>>
>> >>>> "Larry__Weiss" <lfw@xxxxxx> wrote...
>> >>>>> At
>> >>> http://www.microsoft.com/technet/scriptcenter/topics/msh/cmdlets/set-executionpolicy.mspx
>> >>>>> it says of
>> >>>>> Set-ExecutionPolicy RemoteSigned
>> >>>>> RemoteSigned � Downloaded scripts must be signed by a trusted
>> >>>>> publisher
>> >>>>> before they can be run.
>> >>>>> How does PowerShell know that a script was downloaded?
>> >>>>> What does "downloaded" mean in this context?
>> >>>>>
 

My Computer

Users Who Are Viewing This Thread (Users: 1, Guests: 0)