Microsoft developed Windows PowerShell for task automation and configuration management. It is based on.NET framework; while it includes a command-line shell and a scripting language. It does not help users to automate, but it also rapidly solves the complex administration tasks. Despite that, many users often believe that PowerShell is a tool used by hackers for security breaches. Unfortunately, it is true that PowerShell is widely used for security breaches. Due to this, users with less or no technical knowledge often deactivate PowerShell. However, the reality is that PowerShell Security approach can provide the best protection against security breaches at the enterprise level.
David das Neves, Premier Field Engineer for Microsoft Germany mentions in one of his posts that PowerShell Security approach is a powerful way to set up the security at the enterprise level. In fact, PowerShell is one of the most used languages on GitHub, according to Programming Language Ranking chart created by RedMonk.
Read: Understanding PowerShell security.
Windows PowerShell Security at Enterprise level
Before setting Windows PowerShell Security, it is necessary to know the basics of it. Users must use the latest version of Windows PowerShell; i.e. PowerShell Version 5 or WMP 5.1. With WMF 5.1, users can easily update the PowerShell Version on their existing machines, including Windows 7. In fact, those using Windows 7 or even having those on their networks must have WMP 5.1 and PowerShell 5. That is because an attacker needs only one computer to initiate the attack.
The user must note here that PowerShell Security must be set with the latest version of Windows PowerShell. If it is a lower version (like PowerShell Version 2) can do more harm than good. Hence, it is advised that users must get rid of PowerShell version 2.
Apart from the latest version of Windows PowerShell, users must also opt for the newest version of OS. To set up the PowerShell Security, Windows 10 is the most compatible operating system. Windows 10 comes with many security features. Hence, it is recommended that users should migrate their older Windows machines to Windows 10 and evaluate all the security features which can be used.
ExecutionPolicy: Many users don’t opt for PowerShell Security approach and use the ExecutionPolicy as a security boundary. However, as David mentions in his post, there are more than 20 ways to surpass the ExecutionPolicy even as a standard user. Therefore users should set it via GPO such as RemoteSigned. ExecutionPolicy may prevent some hackers using PowerShell scripts from the internet, but it is not completely reliable security setup.
Factors to be considered in PowerShell Security approach
David mentions all the important factors to be considered when setting up PowerShell Security at the enterprise level. Some of the factors that are covered by David are as follows:
- PowerShell Remoting
- Securing Privileged Access
- Modernizing Environment
- Whitelisting / Signing / ConstrainedLanguage / Applocker / Device Guard
- Logging
- ScriptBlockLogging
- Extended Logging / WEF and JEA
For more and detailed information on PowerShell Security setup, read his post on MSDN Blogs.