Skip to the main content.

ScriptRunner Blog

PowerShell security best practices

Table of contents

Post Featured Image

In the complex and dynamic world of IT infrastructure management, securing PowerShell scripts is imperative. This article explores the essential built-in PowerShell security options.

PowerShell is a powerful scripting technology that can help automate and manage tasks across many different platforms and systems. However, its capabilities also pose significant security risks if not properly managed. To mitigate these risks, PowerShell includes several built-in security features that can help create a safer environment. In this article, we will explore the essential PowerShell security features and describe real-life scenarios where they are beneficial.


Execution policies

Execution policies in PowerShell help control the conditions under which PowerShell loads configuration files and runs scripts. This helps prevent the execution of potentially harmful scripts.

There are several types of execution policies including:

  • Restricted: No scripts can be run.
  • AllSigned: Only scripts signed by a trusted publisher can be run.
  • RemoteSigned: Scripts created on the local machine can be run without being signed, but scripts from the internet must be signed by a trusted publisher.
  • Unrestricted: Runs scripts regardless of their signing status but warns if the script is from the internet.

Execution policies are not a security boundary, but a layer of safety to prevent accidental script execution. They can be overridden or bypassed by an administrator.


PowerShell logging

PowerShell provides robust logging capabilities that can track detailed script execution, including Transcription and Module Logging. These logs can be crucial for forensic investigations and monitoring system activities.

  • Unrestricted: Runs scripts regardless of their signing status but warns if the script is from the internet.
  • Transcription: Starts a recording of all PowerShell commands and the output of those commands into a text-based log file. This helps in auditing and post-incident analysis.
  • Module logging: Records pipeline execution details, including the commands executed, the invocation of providers, and the output of those commands.

Logs are critical for tracing activities that occurred within PowerShell, helping administrators and security professionals understand and analyze every action taken.


PowerShell ConstrainedLanguage mode

ConstrainedLanguage mode restricts PowerShell to a subset of its language features, disabling advanced scripting capabilities and access to COM and WMI objects, among others. This mode is useful in environments where users require PowerShell access but should be prevented from executing potentially harmful sophisticated scripts.

This mode is often used alongside application control policies such as Windows Defender Application Control (WDAC) to provide a more comprehensive security solution.


Just Enough Administration (JEA)

JEA is a security technology that enables limited privilege access for specific tasks. Administrators can configure endpoints that define exactly what commands, modules, and parameters users are allowed to execute based on their roles.

JEA helps organizations implement the principle of least privilege, ensuring users only have enough access to perform their job roles without exposing sensitive parts of the system.


PowerShell remoting with SSL

PowerShell remoting allows commands to be run on remote systems. Securing this remoting with SSL (Secure Socket Layer) or TLS (Transport Layer Security) encrypts the communication channel, ensuring that all data exchanged during the remote session remains confidential and tamper-proof.

This feature is critical in distributed environments where commands and potentially sensitive data must be transmitted over potentially insecure networks.


Script signing

Script signing involves using a digital signature to verify the integrity and origin of a script. A signed script carries the identity of its publisher and a hash to verify its integrity. If the script is modified after it has been signed, the digital signature will no longer be valid.

This security feature ensures that scripts cannot be tampered with without detection, providing assurance that scripts are executed as intended by the original author.


PowerShell SecretManagement module 

The SecretManagement module is a unified interface to manage secrets and credentials. It provides cmdlets to set, get, and remove secrets, supporting a variety of vault extensions that can connect to different back-end secret stores, such as Azure Key Vault, HashiCorp Vault, or even custom-built solutions.

The module abstracts the specifics of how secrets are stored and retrieved, allowing scripts to securely access secrets without hard-coding credentials or sensitive information.



Each of these features plays a vital role in securing the PowerShell environment by limiting script execution to trusted sources, monitoring and restricting user actions, and securely handling sensitive data. Together, they form a robust framework for securing PowerShell against both external threats and internal misuse. Learn more about PowerShell security best practices in our webinar "PowerShell security best practices".



Webinar: PowerShell security best practices

In the complex and dynamic world of IT infrastructure management, securing PowerShell scripts is imperative. With the right tools and techniques, you can enhance the safety of your operations and protect sensitive credentials from potential threats.

Join us for an insightful webinar where we will dive into PowerShell's robust security features, complemented by ScriptRunner's advanced capabilities for secure delegation, centralized script and credential management.

Whether you're an administrator, Systems Engineer, IT or DevOps professional, PowerShell developer, or an IT manager, this session will equip you with the knowledge to leverage PowerShell securely and efficiently.

Don't miss this opportunity to step up your security game with expert tips and industry best practices. 



In this webinar, you'll learn:

  • How to use the PowerShell SecretManagement module
  • Working with execution policies
  • Secure credential management
  • Password server integration
  • Delegation of single, parameterizable PowerShell scripts without administrative rights of the user
  • Secure browser-based execution of PowerShell scripts


Wednesday, May 22nd |4:00 - 5:00 PM CEST, 10:00 - 11:00 AM EDT  

If you can't attend the event, no problem: register and we'll send you a link to the webinar recording afterwards.


Register for the webinar here


Please note that you will need to confirm your email address during the registration process via email to receive the recording.

Participation in all our webinars is free of charge.


Related links

Related posts

6 min read

PowerShell security best practices

4 min read

How do I create PFX files with PowerShell?

About the author: