Jump to content
Welcome to our new Citrix community!
  • 0

Citrix WEM - Using security rules to block POWERSHELL and CMD prompts - but allowing user scripts


Paul Mathews

Question

Hi there,

 

Has anyone found a way to block users getting access to Powershell / cmd prompts but still allowing user logon scripts to run ?

 

I've locked down PS by


1. Set up a script at computer boot up to only allow PS constrained mode

2. Blocked PS/cmd prompt via security rules 

 

The problem is now my user logon scripts (running as external tasks from a whitelisted location) no longer work as they are now blocked. 

 

Any ideas? Has anyone found a solution to this ?

 

Thanks

 

 

Link to comment

3 answers to this question

Recommended Posts

  • 0

Hi paul,

For WEM the AppLocker feature just apply security rules to Windows, such as you block the PS to run, and then the Windows will block powershell.exe to launch from anyway.

For WEM the external task feature just run the PS script with the Path you input from the UI, and OS will try to lunch the powershell.exe to run the script, then you are blocked.

The whitelist location take affect with specific type, that means when you are using executable rules, it except the executable files, not the script file.

 

Maybe there is a workaround, there is another feature which is Scripted Task, but it is machine level, is your script must run while user logon and must run under the user session?

If not, maybe you can try the Scripted Task feature, it run the script by a PS SDK instead of using the powershell.exe directly, so it will not be blocked by the AppLocker feature.

 

Thanks.

Link to comment
  • 0
On 2/16/2023 at 3:00 AM, Haiyu Li said:

Hi paul,

For WEM the AppLocker feature just apply security rules to Windows, such as you block the PS to run, and then the Windows will block powershell.exe to launch from anyway.

For WEM the external task feature just run the PS script with the Path you input from the UI, and OS will try to lunch the powershell.exe to run the script, then you are blocked.

The whitelist location take affect with specific type, that means when you are using executable rules, it except the executable files, not the script file.

 

Maybe there is a workaround, there is another feature which is Scripted Task, but it is machine level, is your script must run while user logon and must run under the user session?

If not, maybe you can try the Scripted Task feature, it run the script by a PS SDK instead of using the powershell.exe directly, so it will not be blocked by the AppLocker feature.

 

Thanks.

 

Hi Haiyu,

 

Unfortunately i need the scripts to run on logon in the user's context.

 

 

Link to comment
  • 0

Hi Paul,

I'm afraid WEM cannot do this, because after I investigate some Windows behavior, there is no directly way that "run ps1 script while the powershell.exe is blocked" either.

But I get the following potential solutions, you can reference:

  • Convert ps1 script to exe, reference MS' document.
  • Build another powershell.exe like this, but I think this breaks the purpose that you want to block powershell script.
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...