PowerShell is an extremely powerful tool. Unfortunately, in the wrong hands, PowerShell scripts can become a malware author’s best weapon. Exchange 2010 administrators have a few options for protecting their servers from scripts.
Essentially, a simple PowerShell script is nothing more than a text file. If Exchange doesn’t recognize where the script originated, it halts the script.
Exchange Server 2010 uses execution policies to control whether or not PowerShell scripts are allowed to run. To view your Exchange Server’s execution policy, open the Exchange Management Shell (EMS) and enter the following command:
Exchange will return the name of a specific execution policy; there are four policies you can use:
Restricted -- This default policy in Exchange Server 2010 prevents PowerShell scripts from running.
AllSigned -- This policy allows PowerShell scripts to run if they’ve been digitally signed by a trusted publisher.
RemoteSigned -- This is the execution policy that I use on my own Exchange servers. The policy enables Exchange to examine where the script originated in order to control if and when it can run. If the script was created locally, it’s allowed to run; however, a script that’s downloaded from the Internet will be blocked. This policy works well when there is only one Exchange Server administrator in an organization.
Unrestricted -- As the name implies, the unrestricted policy allows Exchange to run any PowerShell script, regardless of where it came from. It also doesn’t matter whether or not the script has been digitally signed.
In certain cases, you may need to change which execution policy is in place. Switching from one policy to another is easy. To do so, enter the Set-ExecutionPolicy command and then the name of the policy. Next, you will need to verify the change using the Get-ExecutionPolicy command.
Because it’s so easy to change execution policies on the fly, some Exchange organizations use Restricted mode as their default choice. When scripts need to run, the admin will switch to a less-restrictive execution policy. Once the script completes, admins will reset the policy to Restricted mode
Exchange Server 2010 also uses a feature called RemoteShell to establish a remote PowerShell connection to Exchange servers. To use RemoteShell, you must set the execution policy to RemoteSigned or Unrestricted.
ABOUT THE AUTHOR
Brien M. Posey, MCSE, is a seven-time Microsoft MVP for his work with Windows 2000 Server, Exchange Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. For more information visit www.brienposey.com.