Setting PowerShell execution policies in Exchange 2010

Exchange 2010 doesn’t inherently trust PowerShell scripts. Admins can set different execution policies to control when scripts run. Determine which policy is best for your organization.

PowerShell is an extremely powerful tool. Unfortunately, in the wrong hands, PowerShell scripts can become a malware

author’s best weapon. Exchange 2010 administrators have a few options for protecting their servers from scripts.

Essentially, a simple PowerShell script is nothing more than a text file. If Exchange doesn’t recognize where the script originated, it halts the script.

Exchange Server 2010 uses execution policies to control whether or not PowerShell scripts are allowed to run. To view your Exchange Server’s execution policy, open the Exchange Management Shell (EMS) and enter the following command:

Get-ExecutionPolicy

Exchange will return the name of a specific execution policy; there are four policies you can use:

  1. Restricted -- This default policy in Exchange Server 2010 prevents PowerShell scripts from running.

  2. AllSigned -- This policy allows PowerShell scripts to run if they’ve been digitally signed by a trusted publisher.

  3. RemoteSigned -- This is the execution policy that I use on my own Exchange servers. The policy enables Exchange to examine where the script originated in order to control if and when it can run. If the script was created locally, it’s allowed to run; however, a script that’s downloaded from the Internet will be blocked. This policy works well when there is only one Exchange Server administrator in an organization.

  4. Unrestricted -- As the name implies, the unrestricted policy allows Exchange to run any PowerShell script, regardless of where it came from. It also doesn’t matter whether or not the script has been digitally signed.

In certain cases, you may need to change which execution policy is in place. Switching from one policy to another is easy. To do so, enter the Set-ExecutionPolicy command and then the name of the policy. Next, you will need to verify the change using the Get-ExecutionPolicy command.

Because it’s so easy to change execution policies on the fly, some Exchange organizations use Restricted mode as their default choice. When scripts need to run, the admin will switch to a less-restrictive execution policy. Once the script completes, admins will reset the policy to Restricted mode

Exchange Server 2010 also uses a feature called RemoteShell to establish a remote PowerShell connection to Exchange servers. To use RemoteShell, you must set the execution policy to RemoteSigned or Unrestricted.

ABOUT THE AUTHOR
Brien M. Posey, MCSE, is a seven-time Microsoft MVP for his work with Windows 2000 Server, Exchange Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. For more information visit www.brienposey.com.

 

This was first published in October 2010

Dig deeper on Microsoft Exchange Server Scripts and Programming

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchWindowsServer

SearchEnterpriseDesktop

SearchCloudComputing

SearchSQLServer

Close