Welcome PowerShell User! This recipe is just one of the hundreds of useful resources contained in the Windows PowerShell Cookbook, 3rd edition.

If you own the book already, login here to get free, online, searchable access to the entire book's content.

If not, the Windows PowerShell Cookbook is available at Amazon, O'Reilly, or any of your other favourite book retailers. If you want to see what the PowerShell Cookbook has to offer, enjoy this free 90 page e-book sample: "The Windows PowerShell Interactive Shell".

Manage PowerShell Security in an Enterprise

Problem

You want to control PowerShell’s security features in an enterprise setting.

Solution

You have two ways to manage PowerShell’s security features enterprise-wide:

  • Apply PowerShell’s Group Policy templates to control PowerShell’s execution policy through Group Policy.

  • Deploy Microsoft Certificate Services to automatically generate Authenticode code-signing certificates for domain accounts.

Discussion

Either separately or together, these features let you customize your PowerShell environment across your entire domain.

Apply PowerShell’s Group Policy templates

The administrative templates for Windows PowerShell let you override the machine’s local execution policy preference at both the machine and per-user level. To obtain the PowerShell administrative templates, visit this site and search for “Administrative templates for Windows PowerShell.”

Note

Although Group Policy settings override local preferences, PowerShell’s execution policy should not be considered a security measure that protects the system from the user. It is a security measure that helps prevent untrusted scripts from running on the system. As mentioned in Enable Scripting Through an Execution Policy, PowerShell is only a vehicle that allows users to do what they already have the Windows permissions to do.

Once you install the administrative templates for Windows PowerShell, launch the Group Policy Object Editor MMC snap-in. Right-click Administrative Templates, and then select Add/Remove Administrative Templates. You will find the administrative template in the installation location you chose when you installed the administrative templates for Windows PowerShell. Once added, the Group Policy Editor MMC snap-in provides PowerShell as an option under its Administrative Templates node, as shown in Figure 18-2.

PowerShell Group Policy configuration

Figure 18-2. PowerShell Group Policy configuration

The default state is Not Configured. In this state, PowerShell takes its execution policy from the machine’s local preference (as described in Enable Scripting Through an Execution Policy). If you change the state to one of the Enabled options (or Disabled), PowerShell uses this configuration instead of the machine’s local preference.

Note

PowerShell respects these Group Policy settings no matter what. This includes settings that the machine’s administrator may consider to reduce security—such as an Unrestricted group policy overriding an AllSigned local preference.

Per-user Group Policy settings override the machine’s local preference, whereas per-machine Group Policy settings override per-user settings.

Deploy Microsoft Certificate Services

Although outside the scope of this book, Microsoft Certificate Services lets you automatically deploy code-signing certificates to any or all domain users. This provides a significant benefit, as it helps protect users from accidental or malicious script tampering.

For an introduction to this topic, visit this site and search for “Enterprise Design for Certificate Services.” For more information about script signing, see Sign a PowerShell Script, Module, or Formatting File.

See Also

Enable Scripting Through an Execution Policy

Sign a PowerShell Script, Module, or Formatting File

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.