VMware Cloud Community
owz
Contributor
Contributor
‎10-20-2008 11:45 AM

Run only scripts that you trust?

Hi,

I am very surprised everytime when I setup the powershell on a new machine, it always gives headaches.

See below, All the possible places that I can think of to grant the full trust permission has been tried, but when execute the script, it still prompt and ask if I don't want to run it, or run it just once, very frustrating,

Could you please help? In other words, is there any way to get rid of this prompt for ever for all machines/users? Security kills the productivity bit time!

thanks,

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727>caspol.exe -quiet -machine -addgroup All_Code -Zone Intranet FullTrust -name "Full Trust on Local Intranet"

Microsoft (R) .NET Framework CasPol 2.0.50727.1433

Copyright (c) Microsoft Corporation. All rights reserved.

Added union code group with "-Zone" membership condition to the Machine level.

Success

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727>

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727>powershell

Windows PowerShell

Copyright (C) 2006 Microsoft Corporation. All rights reserved.

PS C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727> Set-ExecutionPolicy unrestricted

PS C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727> Get-ExecutionPolicy

Unrestricted

PS C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727>
testmachine\d\test\Scripts\test.ps1

Security Warning

Run only scripts that you trust. While scripts from the Internet can be useful, this script can potentially harm your

computer. Do you want to run
opalis\d\opalis\Scripts\scruty.ps1?

Do not run Run once Suspend Help (default is "D"):

0 Kudos
8 Replies
owz
Contributor
Contributor
‎10-20-2008 12:04 PM

BTW,

1. There is no "Unlock" option when I right click the script itself and go to properties.

2. The script is stored in a network drive in other server, so that is what get powershell stucked, copy the script from remote server to local server, it worked instantly(without prompting that annoying options).

3. The option of the prompt is

Do not run Run once Suspend Help (default is "D"):

It does include the option for Always like the one below,

Never run[D] Do not run[R] Run once[A] Always run[?] Help (default is "D"):

4. The following has been tried, it did not work (turn off the security temportarily, turn of the execution checking.

caspol -s[ecurity] { on | off }

Turn security on or off

caspol -e[xecution] { on | off }

Enable/Disable checking for "right-to-run" on code execution start-up

caspol -pp

caspol -polchgprompt { on | off }

Enable/Disable policy change prompt

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727>caspol -s off

Microsoft (R) .NET Framework CasPol 2.0.50727.1433

Copyright (c) Microsoft Corporation. All rights reserved.

CAS enforcement is being turned off temporarily. Press powershell -command
testmachine\d\test\Scripts\test.ps1

Security Warning

Run only scripts that you trust. While scripts from the Internet can be useful, this script can potentially harm your computer. Do you want to run
testmachine\d\test\Scripts\test.ps1?

Do not run Run once Suspend Help (default is "D"):

File
testmachine\d\test\Scripts\test.ps1 cannot be loaded because you have elected to not run this software now.

At line:1 char:36

+
testmachine\d\test\Scripts\test.ps1 <<<<

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727>powershell -Noninteractive -command
testmachine\d\test\Scripts\test.ps1

AuthorizationManager check failed.

At line:1 char:36

+
testmachine\d\test\Scripts\test.ps1<<<<

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727>

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727>

0 Kudos
bshell
Enthusiast
Enthusiast
‎10-20-2008 12:55 PM

This is not governed by .NET permissions, but by security zones used by IE.

You should be able to modify your IE zones to make this work with network shares.

0 Kudos
owz
Contributor
Contributor
‎10-20-2008 01:12 PM

I have been playing the settting in the "Microsoft .NET Framework 1.1 Configuration" as well as the caspol.exe for .NET 2.0 setting.

1. Everything in "Runtime Security Policy"/Machine/Code_Group/All_Codes/, and in each Permission set , it has been all set to FullTrust.

2. In the internet Options of the control panel, I believe there is not much that I can play with. The setting is Medium in the Privacy tab.

Still not working, very frustrated, It seems that I am not the only one, see http://blogs.msdn.com/shawnfa/archive/2003/06/20/57023.aspx

0 Kudos
bshell
Enthusiast
Enthusiast
‎10-20-2008 01:14 PM

I assure you... it is not the .NET settings.

Depending on OS and IE version you just need to make sure that UNC are considered local intranet. The default is internet.

0 Kudos
bshell
Enthusiast
Enthusiast
‎10-20-2008 01:20 PM

Here is an article that explains how to configure the IE Settings

0 Kudos
owz
Contributor
Contributor
‎10-20-2008 02:10 PM

Thanks! can you provide the link for the article?

0 Kudos
bshell
Enthusiast
Enthusiast
‎10-20-2008 03:10 PM

Doh! This is the article. It doesn't address your problem directly, but the workaround section describes what I mean and the steps to take.

http://support.microsoft.com/kb/303650

0 Kudos
owz
Contributor
Contributor
‎10-21-2008 07:53 AM

Problem solved, this is what needs to be done:

From control Panel->Add/Remove Program-> add/Remove Windows Components-> On the popped up new windows, uncheck the "internet Explorer Enhanced Security Configuration", This change is needed for Powershell to run the remote script on the local machine.

0 Kudos