4

Powershell by default is initially disabled, presumably for security reasons.

When I ask for it to be enabled so I can use it, the Admins are cautious to take action that may leave the server more vulnerable and as a result, it isn't enabled and I am left waiting.

Granted that Microsoft has a lousy track record for security and that leaving a feature disabled is probably in theory more secure that enabling it, but that goes with anything.

Is Powershell inherently more dangerous that it should be feared more so than any other Windows scripting language?

Aaron D. Marasco
  • 6,506
  • 3
  • 26
  • 39
Chad
  • 23,658
  • 51
  • 191
  • 321

2 Answers2

5

Powershell has additional security and safety features. Have a look at execution policies- http://msdn.microsoft.com/en-us/library/dd347641.aspx ( or run get-help about_execution_policies)

Scripting is a very powerful tool, but it can be misused for malicious purposes. To protect user data and the integrity of the operating system, Windows PowerShell includes several security features, among which is the execution policy.

http://msdn.microsoft.com/en-us/library/bb648601(v=vs.85).aspx

So by default you cannot double click on scripts on enter them in console to run them. And you can control if scripts can be executed and what kind of scripts at that as well.

Also, with Powershell, you will not be able to script / run commands that you otherwise have no permissions for as set by the administrator. If you cannot turn off the firewall from the GUI,say, because you don't have the necessary privileges, you cannot do it from Powershell as well.

Powershell also borrows from security best practices from elsewhere. You cannot execute a script or other executable that is not in path by just giving the script name or the exe name. You have to use something like .\script.ps1 - for it to run. This is because unlike CMD, the current directory is not in path, much like what you would see in *nix. This makes sure that any malicious script placed in the current directory cannot override built-in commands like dir and cause harmful effects.

manojlds
  • 290,304
  • 63
  • 469
  • 417
4

In addition to what @manojlds pointed out a good article to checkout.

Don Jones puts it this way: "It is no more dangerous than anything else."

The security with PowerShell can actually be controlled by Group Policy (those execution policies @manojlds mentioned). You will actually see it enabled by default when you get to Window Server 2008 R2. Then a number of Microsoft products are now installing it and enabling it for you (Exchange 2010, SharePoint 2010, SQL Server 2008 R2). I would have to say that Microsoft has greatly improved their track record with PowerShell.

  • hmmm...I installed SQL Server 2008 R2 and I still had to enable Powershell after... – Chad Aug 03 '11 at 03:21
  • on Window Server 2008 R2? Window Server 2008 they may not actually enable it for you, forgot about that. –  Aug 03 '11 at 15:09
  • 1
    I think there is some confusion here. PowerShell is enabled by default. But also enabled by default is the child-safety lock, also known as ExecutionPolicy. :) – JasonMArcher Aug 04 '11 at 05:01
  • 1
    I will also note, for security you might consider who can execute PowerShell.exe on your servers. There is a backdoor even if you set everything as restricted to still be able to execute a PowerShell script. A parameter when you call PowerShell.exe from DOS prompt or bat file is -ExecutionPolicy. This allows you to set the policy for that session only. I use this on servers that have not had the default policies changed so I can get my scripts to run. Just something to keep in mind. –  Aug 04 '11 at 05:21