undefined | Better HN

0 pointssteve19771y ago0 comments

It's configurable with quite a few options.

But I guess here we have some of the underlying problem.

If something just executes whatever you throw at it, people complain.

If something doesn't just execute whatever your throw it, people complain as well. ;)

0 comments

ptx1y ago

None of the options seem very useful, though.

Why block execution of PowerShell scripts when batch files, WSH scripts and plain executables can still run? You could try to prevent those other kinds of scripts from even getting onto the machine, I guess, but then why wouldn't you simply do the same for PowerShell scripts?

The AllSigned policy where it asks you explicitly about trusting new publishers[0] seems like what I'm asking for, except that it apparently requires the certificate to be installed in Trusted Root Certificate Authorities! That's way more trust than should be necessary.

The only option that seems to make sense (aside from Unrestricted) is buying a certificate from an existing CA that's already trusted, so that users don't need to trust you with acting as a CA, but that's quite expensive.

[0] https://www.hanselman.com/blog/signing-powershell-scripts

j / k navigate · click thread line to collapse