Setting PowerShell execution policies in Exchange 2010

PowerShell is an extremely powerful tool. Unfortunately, in the wrong hands, PowerShell scripts can become a malware author’s best weapon. Exchange 2010 administrators have a few options for protecting their servers from scripts.

Essentially, a simple PowerShell script

    Requires Free Membership to View

    Login

is nothing more than a text file. If Exchange doesn’t recognize where the script originated, it halts the script.

Exchange Server 2010 uses execution policies to control whether or not PowerShell scripts are allowed to run. To view your Exchange Server’s execution policy, open the Exchange Management Shell (EMS) and enter the following command:

Get-ExecutionPolicy

Exchange will return the name of a specific execution policy; there are four policies you can use:

  1. Restricted -- This default policy in Exchange Server 2010 prevents PowerShell scripts from running.

  2. AllSigned -- This policy allows PowerShell scripts to run if they’ve been digitally signed by a trusted publisher.

  3. RemoteSigned -- This is the execution policy that I use on my own Exchange servers. The policy enables Exchange to examine where the script originated in order to control if and when it can run. If the script was created locally, it’s allowed to run; however, a script that’s downloaded from the Internet will be blocked. This policy works well when there is only one Exchange Server administrator in an organization.

  4. Unrestricted -- As the name implies, the unrestricted policy allows Exchange to run any PowerShell script, regardless of where it came from. It also doesn’t matter whether or not the script has been digitally signed.

In certain cases, you may need to change which execution policy is in place. Switching from one policy to another is easy. To do so, enter the Set-ExecutionPolicy command and then the name of the policy. Next, you will need to verify the change using the Get-ExecutionPolicy command.

Because it’s so easy to change execution policies on the fly, some Exchange organizations use Restricted mode as their default choice. When scripts need to run, the admin will switch to a less-restrictive execution policy. Once the script completes, admins will reset the policy to Restricted mode

Exchange Server 2010 also uses a feature called RemoteShell to establish a remote PowerShell connection to Exchange servers. To use RemoteShell, you must set the execution policy to RemoteSigned or Unrestricted.

ABOUT THE AUTHOR
Brien M. Posey, MCSE, is a seven-time Microsoft MVP for his work with Windows 2000 Server, Exchange Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. For more information visit www.brienposey.com.

 

This was first published in October 2010

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

    Back to top