You might have wondered how the “RemoteSigned” execution policy protects us from running unsigned PowerShell scripts downloaded from the internet. We use the URL Security Zones API related to “Attachment Execution Service” (AES) introduced in Windows XP SP2 and Windows Server 2003 SP1. Internet Explorer and Outlook Express are among the applications that participate in the AES system, while FireFox, Microsoft Office Outlook and Live Messenger do not follow AES.
AES-participating applications call the Save method of IAttachmentExecute interface to add a Zone.Identifier alternate data stream to store the zone from which the file came. We then call System.Security.Policy.Zone.CreateFromUrl to determine which zone the file originated from. Here is the mapping between ZoneId and SecurityZone enum:
public enum SecurityZone
{
NoZone = -1,
MyComputer = 0,
Intranet = 1,
Trusted = 2,
Internet = 3,
Untrusted = 4,
}
If the file has a ZoneId >= 3, PowerShell considers it remote. Furthermore, PowerShell considers Intranet as remote, if your computer is set up with the Internet Explorer Enhanced Security Configuration.
Let’s do a little experiment.
1) Download a PowerShell script from the internet using Internet Explorer
http://www.reskit.net/Monad/samplescripts/Get-WhoAmI.ps1
2) Open the Zone.Identifier alternate data stream in notepad
notepad “Get-WhoAmI.ps1:Zone.Identifier”
You will get:
3) Set ExecutionPolicy to RemoteSigned, and run this script
PS C:\toolbox\lads> Set-ExecutionPolicy RemoteSigned
PS C:\toolbox\lads> .\Get-WhoAmI.ps1
File C:\toolbox\lads\Get-WhoAmI.ps1 cannot be loaded. The file C:\toolbox\lads\Get-WhoAmI.ps1 is not digitally signed. The script will not execute on the system. Please see “get-help about_signing” for more details..
At line:1 char:17
+ .\Get-WhoAmI.ps1 <<<<
4) Change ZoneId to 2 in notepad, and rerun the script, now the script is considered local
PS C:\toolbox\lads> .\Get-WhoAmI.ps1
PS C:\toolbox\lads>
Links:
-
For more information about Attachment Execution Service (AES), refer to http://community.bartdesmet.net/blogs/bart/archive/2005/08/19/3485.aspx
-
For more information about NTFS alternative data stream, refer to http://www.securityfocus.com/infocus/1822
Wei Wu [MSFT]
0 comments