Security is not an afterthought; it’s a core component of effective system administration. This guide provides PowerShell users with an essential toolkit for managing security-related tasks on Windows. We will cover three critical areas: first, how to handle administrator privilege elevation for both interactive and automated scripts using modern tools like gsudo. Second, you’ll learn to manage the Windows Defender Firewall directly from the command line to control network traffic. Finally, we’ll demystify the ‘Mark of the Web’ and show you how to use the Unblock-File cmdlet to safely run downloaded scripts and executables. This pillar post consolidates three key security topics into one definitive resource.

Part 1: A PowerShell User’s Guide to Privilege Elevation

Handling administrator privilege elevation in PowerShell is crucial for both interactive use and non-interactive automation. This section covers the best tools and methods for the job, from the convenient gsudo to the robust Windows Task Scheduler.

The sudo Landscape: sudo vs. gsudo

  • Microsoft sudo: The official implementation in Windows 11 (24H2+). It’s simple and secure but lacks features like UAC caching, making it less ideal for scripting.
  • gsudo: A popular, third-party sudo clone for all modern Windows versions. It’s feature-rich, supports credential caching, and is perfect for automation. Install it with winget install gerardog.gsudo.

For most scripting and power-user scenarios, gsudo is the recommended tool.

sudo vs. gsudo: A Quick Comparison

Feature Microsoft sudo gsudo
UAC Caching No Yes (configurable)
I/O Redirection Limited Fully Supported
Availability Windows 11 24H2+ Windows 10 & 11
Best For Simple, secure interactive use Power users & automation

Native PowerShell Elevation: Start-Process -Verb RunAs

Before third-party tools, the built-in way to elevate a command in PowerShell was using Start-Process. This method opens a new, elevated PowerShell window to run the command. It’s useful for launching entire scripts with admin rights from a non-elevated console.

# This will trigger a UAC prompt and open a new admin window
Start-Process powershell -Verb RunAs -ArgumentList "-File C:\Scripts\MyAdminScript.ps1"

Automation and Non-Interactive Elevation

The main challenge in automation is handling the UAC prompt. The correct approach is to use a mechanism that runs the script in an already elevated context.

Method 1: Using gsudo for Scripted Elevation

gsudo is designed for scripting. By providing credentials securely (e.g., from Azure Key Vault or Windows Credential Manager), you can run commands non-interactively.

Important Security Note: Never hardcode passwords in scripts.

This reusable PowerShell function demonstrates how to securely use a PSCredential object with gsudo.

function Invoke-GsudoCommand {
    [CmdletBinding()]
    param (
        [Parameter(Mandatory = $true)]
        [string]$Command,
        [Parameter(Mandatory = $true)]
        [pscredential]$Credential
    )

    $ptr = [System.Runtime.InteropServices.Marshal]::SecureStringToCoTaskMemUnicode($Credential.Password)
    try {
        $plainPass = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($ptr)
        & gsudo runas "/user:$($Credential.UserName)" "/password:$plainPass" -- PowerShell.exe -NoProfile -Command "$($Command)"
    }
    finally {
        # Always clear the plain text password from memory
        if ($ptr -ne [System.IntPtr]::Zero) {
            [System.Runtime.InteropServices.Marshal]::ZeroFreeCoTaskMemUnicode($ptr)
        }
    }
}

# --- Example Usage ---
# 1. Get the credential for the admin user (in a real script, from a vault).
$cred = Get-Credential "MyAdminUser"
# 2. Define the command to execute.
$commandToRun = "Get-Service -Name 'WinRM' | Select-Object -Property Name, Status"
# 3. Execute the command.
Invoke-GsudoCommand -Command $commandToRun -Credential $cred

Method 2: Using Windows Task Scheduler (The Most Secure Way)

For regularly scheduled tasks, the Windows Task Scheduler is the most secure method. By configuring a task to “Run with highest privileges”, the Task Scheduler service launches your script with an elevated token, completely bypassing UAC.

This is the ideal, set-and-forget solution for maintenance scripts and other unattended automation.

Part 2: Managing the Windows Defender Firewall

The Windows Defender Firewall is a critical component of Windows security. You can manage it easily from the command line.

“Windows Firewall” vs. “Windows Defender Firewall”

They are the same thing. “Windows Defender Firewall” is just the modern name for the legacy “Windows Firewall” in Windows 10/11 and Server 2016+.

Turning the Firewall OFF/ON

Use these commands in an elevated prompt.

To Turn OFF for all profiles (Domain, Private, Public): 

netsh advfirewall set allprofiles state off
Or in PowerShell: 
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False

To Turn ON for all profiles: 

netsh advfirewall set allprofiles state on

Verifying Firewall Status

To check the current state of the firewall profiles using PowerShell, use Get-NetFirewallProfile.

Get-NetFirewallProfile | Format-Table Name, Enabled

Managing Firewall Rules

Instead of disabling the firewall, it’s much safer to open only the specific ports you need.

Pro Tip: Create a new rule: 

New-NetFirewallRule -DisplayName "Allow Port 8080" -Direction Inbound -Protocol TCP -LocalPort 8080 -Action Allow

Remove a rule by name: 

# Remove the rule created in the previous example
Remove-NetFirewallRule -DisplayName "Allow Port 8080"

Part 3: Safely Handling Downloaded Files with Unblock-File

When you download a file from the internet, Windows adds a hidden “Mark of the Web” (Zone.Identifier) to it, which can prevent scripts or installers from running.

What is the “Mark of the Web”?

It’s an Alternate Data Stream (ADS) that tags a file as having come from the untrusted “Internet Zone.” You can see this data with: 

Get-Content -Path "C:\Downloads\MyFile.zip" -Stream Zone.Identifier
If the output shows ZoneId=3, the file is blocked.

The Solution: The Unblock-File Cmdlet

The Unblock-File cmdlet safely removes this “Mark of the Web,” telling Windows you trust the file.

Unblocking a Single File

Unblock-File -Path "C:\Downloads\MyScript.ps1"
This is the script equivalent of right-clicking the file, going to Properties, and checking the “Unblock” box.

Unblocking All Files in a Directory

This is essential after extracting a ZIP file, as all extracted files inherit the mark. 

# Recursively unblock all files in a folder
Get-ChildItem -Path "C:\Downloads\MyExtractedFolder" -Recurse | Unblock-File

Security Considerations

Only unblock files from sources you trust. The Mark of the Web is an important security feature that protects you from malicious content.

Conclusion

Mastering these three areas of security—privilege elevation, firewall management, and file safety—is fundamental for any PowerShell user. By using gsudo for flexible elevation, netsh or PowerShell for firewall control, and Unblock-File for downloaded content, you can build automation that is not only powerful and efficient but also secure.