How to force PowerShell to not allow an interactive command window

powershell

I am a Citrix administrator and would like to restrict the general user population on our servers from using PowerShell to run their own scripts, or to use it interactively. We are already disallowing the use of the command prompt via GPO, but with PowerShell available, that's basically useless.

I've found that Powershell.exe has a command-line option of -NoInteractive which will allow a user to run a script, but it does not provide them an interactive command prompt. The problem is that I have not found a way to force powershell to operate this way. I even went so far as to create a C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1 launch script that would check for the -NoInteractive parameter, but users can bypass that by simply launching Powershell.exe with the -NoProfile parameter.

The other problem is that we do use a lot of PowerShell scripts to launch applications for users and portions of the login script are written in PowerShell and need to run under the user context, so I can't simple ACL the EXE file. I need them to be able to use PowerShell, just not interactively. Ultimately, we want to enforce the AllSigned execution policy and sign all scripts so the only thing a user can run is a script that we (the admins) have created and/or signed off on.

I've tried googling for this answer and found many people using -NoInteractive, but I haven't found an instance where someone has tried to force it. Any ideas?


I think you are misunderstanding the use of the -NonInteractive switch; you can still run powershell -noninteractive and get an interactive prompt. The noninteractive switch is intended for automated scripting scenarios, where you don't want powershell to send a prompt to the user and wait for a response. For example, in a non-interactive PowerShell window, if you run Get-Credential without any parameters it will immediately fail instead of prompting for a username and password. Noninteractive will NOT act as a security mechanism.

A better method is to secure what you're trying to protect, not the tools a user might use to access it.


I believe I have a solution that will work, although it's not particularly pretty. User jbsmith was on the right track. If I end up ACLing the powershell.exe to remove Execute permissions from the Users group, that stops them from running an interactive window. For those PowerShell scripts that the users DO need to run via the login script, we can compile those scripts into an EXE using PowerGUI and that allows the scripts to run, since that does not call the PowerShell executable.

We're debating over whether we want to take this another step further and use an AppLocker GPO to restrict PowerShell scripts to only those that we have blessed. Of course, we can put these restrictions only on the average non-IT user and allow our administrators to continue to use PowerShell as normal. This will involve some administrative overhead to maintain, so the AppLocker part may not come to fruition.

Related

How to allow more than two simultanous sessions on Azure
Hardware requirements for 100 virtualized high performance Windows 7 desktops?
Is there a way of exporting fstab info for device which is currently mounted?
What is the performance impact of disabling NCQ?
Is there a standard time duration before DNS caches are cleared?
Failing to install certbot on debian jessie
How connect a linux box to an azure point-to-site gateway?
Why do sequential writes have better performance than random writes on SSDs?
No need to enable SNI for multiple SSL sites on same IP but using same wild card certificate?
How avoid Azure Subscription suspension?
After creating an A DNS record for WWW is it also necessary to create a AAAA record for WWW?
How do I disable hard disk spin down or head parking in FreeBSD?