Published on the 30/06/2022 | Written by Heather Wright
PowerShell ‘essential’ to secure Windows OS despite concerns…
New Zealand’s National Cyber Security Centre has joined forces with counterparts in the US and UK, warning companies to configure Microsoft’s PowerShell properly rather than removing or disabling it entirely.
The scripting language and command line tool, included with Microsoft Windows, is extensively used – and highly useful – but it’s often abused by attacks, with the flexibility that enables remote admin exploited to remotely compromise Windows devices and, in some cases, Linux systems as a post-exploitation tool.
“Blocking PowerShell hinders defensive capabilities.”
A January Trellix report says Powershell accounted for 42 percent of native binaries used by threat actors.
That’s prompted some organisations to disable or remove the tool.
But the newly released guidelines from the New Zealand National Cyber Security Centre, the US National Security Agency and Cybersecurity and Infrastructure Security Agency and the United Kingdom National Cyber Security Centre, say disabling Powershell isn’t the solution – in fact, they’re actively advocating against doing so.
“PowerShell is essential to secure the Windows operating system, especially since newer versions have resolved previous limitations and concerns through updates and enhancements,” the agencies say.
They note there are security benefits to PowerShell, both on-prem and in the cloud, including enabling forensics, improving incident response and allowing automation of common or repetitive tasks.
“In Microsoft’s cloud platform Azure, PowerShell can help to manage Azure resources, permitting administrators and defenders to build automated tools and security measures,” the joint advisory says.
“Blocking PowerShell hinders defensive capabilities that current versions of PowerShell can provide and prevents components of the Windows operating system from running properly,” the advisory says.
“However, the extensibility, ease of use and availability of PowerShell also presents an opportunity for malicious cyber actors.”
They’re calling on companies to ensure proper configuration and monitoring to reduce the likelihood of malicious actors using it undetected after gaining access to a victim’s network.
The guidelines – which you can read in full here – essentially boil down to updating to the latest version, locking PowerShell down to prevent hacking, turning on enhanced security features, and turning on logging features which are disabled by default to detect incidents.
The first step, the guidelines say, is to install the latest release, PowerShell 7.2, which includes new security measures including prevention, detection and authentication capabilities, if companies haven’t already done so. (Version 5.1 still ships with Windows 10 and above and the guidelines recommend ‘explicitly disabling and uninstalling’ the second version on Windows 10+.)
Among the recommendations are using built in Windows security features available in PowerShell, including credential protection and network protection, which helps restrict operations unless allowed by the admin, and implementing the anti-malware scan interface feature, introduced with Windows 10.
Configuring AppLocker or Windows Defender Application Control to block actions on a Windows host will cause PowerShell to operate in constrained language mode, restricting operations unless allowed by the administrator defined policies.
Meanwhile, a range of PowerShell offerings, including module logging and over-the-shoulder transcription – disabled by default – can help detect and alert on potential abuses, with the agencies recommending companies enable them.
While PowerShell can function on operating systems including Linux and MacOS, they guidelines make no recommendations for those operating systems.