Running Scripts From Trusted Server Locations In PowerShell 7

[Aakash Shah]

I am trying out PowerShell 7 (from PowerShell 5.1), and UNC paths/servers that were previously “trusted” by being added to the Local Intranet zone, continue to present security warnings asking for consent to run in PowerShell 7.  What is the new way in PS7 to allow scripts to run from UNC paths and avoid this message:

 

Security warning

Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm your

computer. If you trust this script, use the Unblock-File cmdlet to allow the script to run without this warning

message. Do you want to run <UNC Path>\Documents\PowerShell\Microsoft.PowerShell_profile.ps1?

[D] Do not run  [R] Run once  [S] Suspend  [?] Help (default is "D"):

 

What I’ve tried:

• I tried to do some web searches for this, but I must not be performing the right search queries. 
• I tried to run the Unblock-File, but this had no effect (the file was not downloaded from the Internet and hence didn’t have the hidden zone identifier in it). 
• I confirmed that Get-ExecutionPolicy is set to Unrestricted.
• Both FQDN and short name UNC paths are affected by this.
• The same script works when run locally, but not from either FQDN or short named UNC paths.

 

There are a few use cases for this:

• My Documents folder is redirected to a UNC path, and the new PowerShell profile path at <UNC Documents location>\PowerShell\Microsoft.PowerShell_profile.ps1 presents the above warning each time I start PS7.
  
  
• I am testing some scripts that I have stored in my Documents folder on the server.

 

Any help or references would be appreciated!

 

Thanks,

 

-Aakash Shah

 

[Kurt Buff - GSEC, GCIH]

Does the file have an alternate data stream? Specifically, the script
might have a zone identifier attached to it.
https://davidhamann.de/2019/02/23/hidden-in-plain-sight-alternate-data-streams/

Kurt

[Aakash Shah]

Hello! I thought it could have been the same issue. I tried the PS method outlined in the article, but that also didn’t reveal any alternate data streams present in the file.

Earlier, I had tried Unblock-File (which also helps remove the zone identifier), but that didn't help either. I also checked the file using Systernals streams.exe, but it also didn’t reveal any alternate data streams.

Thanks,

-Aakash Shah

--
You received this message because you are subscribed to the Google Groups "ntpowershell" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntpowershell...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/CADy1Ce6hjs5QjfwS%3DA6N4RMdT0%2B%2BKLZiR8Lps0-d9W2zaSMSfg%40mail.gmail.com.

[Kurt Buff - GSEC, GCIH]

The only other thing I could suggest is to map a drive instead of
using a UNC path.

I haven't installed or used PS 7 yet, so my fund of things to try is
pretty shallow.

Kurt

> To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/BYAPR06MB6263159A2AD684B8DB78A422F2CA0%40BYAPR06MB6263.namprd06.prod.outlook.com.

[Aakash Shah]

Interesting - mapping a drive to the FQDN path allowed it to work. So that's definitely a workaround - thanks!

We don’t use mapped drives in our environment (we use network locations), so before we consider deploying PS7 out to a wider audience, I'll still need to figure out how to allow/whitelist trusted network locations to allow scripts to run.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/CADy1Ce4ozRtM2tQf7_pCNEW%2BBqH-F%2B%3DZ8OsjkoJiyqcJ6KqKfQ%40mail.gmail.com.

[Kurt Buff - GSEC, GCIH]

I agree that UNC paths are the way to go - perhaps time to raise a bug?

Kurt

> To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/BYAPR06MB6263274D3518E0BA38E606D7F2CB0%40BYAPR06MB6263.namprd06.prod.outlook.com.

[Aakash Shah]

Sounds good. I'll work on reporting this at https://github.com/powershell/powershell/issues.

Thanks!

To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/CADy1Ce69Rc-8o%2BAvHCzXrLTddNFh9pkUTcBH7QhGkbE2OYBgLg%40mail.gmail.com.

[Aakash Shah]

Hello! Just a FYI to the group:

The PowerShell development team has confirmed that the experience below is expected behavior. Whereas PS v5.1 checked the Local Intranet zone to identify "trusted paths", PS Core (v6 and v7) no longer references the Local Intranet zone. In PS Core if a path has a "." (period), then it always assumes its an Internet path and hence all FQDN paths are seen as Internet paths and present the warning message (there is not currently a way to mark paths as trusted).

This was originally discussed in this ticket from mid 2018: https://github.com/PowerShell/PowerShell/issues/7458.

The PowerShell development team asked that I file a new feature/enhancement request and that has been filed here: https://github.com/PowerShell/PowerShell/issues/12336.

Just FYI in case anyone is interested in following this.

[Kurt Buff - GSEC, GCIH]

I am interested, so thank you for posting.

Kurt

On Fri, Apr 17, 2020 at 3:21 PM Aakash Shah <aakas...@uci.edu> wrote:

Hello!  Just a FYI to the group:

To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/BYAPR06MB6263CD94667F83EB4F39E167F2D90%40BYAPR06MB6263.namprd06.prod.outlook.com.

[Michael B. Smith]

Huh. Very interesting.

 

thanks for posting.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/CADy1Ce5Ak-%3DRXg-qirztKH5H6us6E8enVaTn-%3D4-MFAAv31H6g%40mail.gmail.com.

[Matthew Houston]

Wow that is just dumb. All of our references internally are to our DFS which is always a FQDN …

 

Matthew Houston
System Administrator

> > To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/CADy1Ce6hjs5QjfwS=A6N4RMdT0++KLZiR...@mail.gmail.com.

> >
> > --
> > You received this message because you are subscribed to the Google Groups "ntpowershell" group.
> > To unsubscribe from this group and stop receiving emails from it, send an email to ntpowershell...@googlegroups.com.

> > To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/BYAPR06MB6263159A2A...@BYAPR06MB6263.namprd06.prod.outlook.com.

>
> --
> You received this message because you are subscribed to the Google Groups "ntpowershell" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ntpowershell...@googlegroups.com.

> To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/CADy1Ce4ozRtM2tQf7_pCNEW+BqH-F+=Z8OsjkoJi...@mail.gmail.com.

>
> --
> You received this message because you are subscribed to the Google Groups "ntpowershell" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ntpowershell...@googlegroups.com.

> To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/BYAPR06MB6263274D35...@BYAPR06MB6263.namprd06.prod.outlook.com.

--
You received this message because you are subscribed to the Google Groups "ntpowershell" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntpowershell...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/CADy1Ce69Rc-8o+AvHCzXrLTd...@mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "ntpowershell" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntpowershell...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/BYAPR06MB6263CD9466...@BYAPR06MB6263.namprd06.prod.outlook.com.