Windows PowerShell is been used by many IT administrators across the globe. It is a task automation and configuration management framework from Microsoft. With its help, administrators can perform administrative tasks on both local and remote Windows systems. However, recently, a few organizations have been avoiding using it; especially for remote access; suspecting security vulnerabilities. To clear this confusion around the tool, Microsoft Premier Field Engineer, Ashley McGlone published a blog that mentions why it is a safe tool and not a vulnerability.
Organizations are considering PowerShell as vulnerability
McGlone mentions some of the recent trends in the organizations with respect to this tool. Some organizations are forbidding the use of PowerShell remoting; while elsewhere InfoSec has blocked remote server administration with it. He also mentions that he constantly receives questions around PowerShell Remoting security. Multiple companies are restricting the tool’s capabilities in their environment. Most of these companies are worried about tool’s Remoting, which is always encrypted, single port 5985 or 5986.
PowerShell security
McGlone describes why this tool is not a vulnerability – but on the other hand is very safe. He mentions important points such as this tool is a neutral administration tool, not a vulnerability. The tool’s remoting respects all Windows authentication and authorization protocols. It requires local Administrators group membership by default.
He further mentions why the tool is safer than companies think:
“The improvements in WMF 5.0 (or WMF 4.0 with KB3000850) make PowerShell the worst tool of choice for a hacker when you enable script block logging and system-wide transcription. Hackers will leave fingerprints everywhere, unlike popular CMD utilities”.
Because of its powerful tracking features, McGlone recommends PowerShell as the best tool for remote administration. The tool comes with features that allow organizations to find the answer to the questions like who, what, when, where, and how for activities on your servers.
He further gave the links to resources to learn about securing this tool and using it on an enterprise level. If the information security department in your company wants to learn more about this tool, McGlone provides a link to PowerShell Remoting Security Considerations. This is a new security documentation from the PowerShell team. The document includes various informative sections such as what is Powershell Remoting, its default settings, process isolation and encryption and transport protocols.
The blog post mentions several sources & links to learn more about PowerShell. You can get these sources, including links to WinRMSecurity website and a white paper by Lee Holmes here on TechNet Blogs.