Who’s afraid of PowerShell security?


imageIs PowerShell a vulnerability?

Does your organization forbid the use of PowerShell remoting? Has InfoSec blocked remote server administration with PowerShell? Do you want to understand PowerShell security better? This post is for you.

Notes from the field…

As a Premier Field Engineer I have delivered PowerShell engagements to countless companies and teams. Over the years I have consistently received questions around PowerShell remoting security. More recently I have worked with multiple customers who had been tasked with restricting PowerShell capabilities in their environment. The conversation usually starts with one of these lines:

  • “InfoSec will not let us turn on PowerShell remoting.”
  • “Our last audit said that PowerShell needs to be locked down on all servers.”
  • “The CIO went to a security conference and then banned PowerShell from the environment.”

Now, be aware that these same companies will leave any one or more of these remote management ports open:

  • Remote Desktop Protocol (RDP)
  • Remote WMI access over RPC, clear text by default, random ports
  • Remote event log management
  • Remote service management
  • SMB file share access
  • PSEXEC

But they are afraid of:

  • PowerShell remoting, always encrypted, single port 5985 or 5986, does all of the above

Here are the key points for a PowerShell security conversation:

  • PowerShell is a neutral administration tool, not a vulnerability.
  • PowerShell remoting respects all Windows authentication and authorization protocols. It requires local Administrators group membership by default.
  • Hackers use PowerShell for the same reasons you do… because it is more convenient than twenty years of other popular command line tools.

Bottom Line

The improvements in WMF 5.0 (or WMF 4.0 with KB3000850) make PowerShell the worst tool of choice for a hacker when you enable script block logging and system-wide transcription. Hackers will leave fingerprints everywhere, unlike popular CMD utilities. For this reason, PowerShell should be the only tool you allow for remote administration. These features allow you to answer the classic questions who, what, when, where, and how for activities on your servers.

The links below provide documentation and training from Microsoft and other industry sources around securing PowerShell in the enterprise and enabling these key points above. Focus especially on the highlighted ones and anything from Lee Holmes.

Microsoft Resources

Download PowerShell WMF 5.0

Leverage all of the new security features in WMF 5.0.

http://microsoft.com/powershell

PowerShell Remoting Security Considerations

New security documentation from the PowerShell team. This is a start, and it will continue to be updated. Give this link to your InfoSec people who need more information.

https://msdn.microsoft.com/en-us/powershell/scripting/setup/winrmsecurity

PowerShell ♥ the Blue Team

Whitepaper by Lee Holmes “Scripting Security and Protection Advances in Windows 10” (PowerShell 5).

Give this to your InfoSec people, your manager, and your grandmother. Then implement it.

https://blogs.msdn.microsoft.com/powershell/2015/06/09/powershell-the-blue-team/

A Comparison of Shell and Scripting Language Security

a deep comparative analysis on security between available shells and scripting languages

https://blogs.msdn.microsoft.com/powershell/2017/04/10/a-comparison-of-shell-and-scripting-language-security/

Just Enough Administration

JEA is how you restrict capabilities of remote PowerShell sessions. This is huge for securing your environment and a major thrust in Windows Server 2016 (available down level with WMF 5.0).

https://msdn.microsoft.com/powershell/jea/readme

Introducing the updated JEA Helper Tool

https://blogs.technet.microsoft.com/privatecloud/2015/12/20/introducing-the-updated-jea-helper-tool/

Windows Event Forwarding guidance

http://aka.ms/wef

Maslow’s Hierarchy of Security Controls

http://www.leeholmes.com/blog/2014/12/08/maslows-hierarchy-of-security-controls/

Use Windows Event Forwarding to help with intrusion detection

An operational guide for implementing WEF based on the experience of Microsoft IT in a large-scale environment

https://technet.microsoft.com/itpro/windows/keep-secure/use-windows-event-forwarding-to-assist-in-instrusion-detection

The Underhanded PowerShell Contest

Microsoft’s community effort to identify and defend against malicious PowerShell code.

https://github.com/PowerShell/underhanded-powershell

https://blogs.msdn.microsoft.com/powershell/2016/03/07/announcing-the-underhanded-powershell-contest/

Follow Lee Holmes on Twitter

PowerShell team security lead, Microsoft Lead Security Architect for Enterprise Cloud Group & Azure Stack. Constant stream of relevant info and links.

https://twitter.com/Lee_Holmes

PowerShell Remoting Exposed

An article that includes network traces comparing WMI, RPC, and WINRM/WSMAN PowerShell remoting protocols on the wire. It also includes a list of PowerShell help topics for more information.

https://blogs.technet.microsoft.com/ashleymcglone/2011/04/18/powershell-remoting-exposed-how-to-command-your-minions/

External Resources

eBook: Secrets of PowerShell Remoting
https://powershell.org/ebooks/

NSA: Spotting the Adversary with Windows Event Log Monitoring
https://www.nsa.gov/ia/_files/app/spotting_the_adversary_with_windows_event_log_monitoring.pdf

Securing PowerShell in the Enterprise

Information security advice for all levels of government

Australian Signals Directorate, Australian Government Department of Defence

http://www.asd.gov.au/publications/protect/securing-powershell.htm

FireEye: Investigating PowerShell Attacks (BlackHat USA 2014)

https://www.fireeye.com/content/dam/fireeye-www/global/en/solutions/pdfs/wp-lazanciyan-investigating-powershell-attacks.pdf

Verizon 2016 Data Breach Investigations Report

Not PowerShell-specific, but good insight to breach techniques.

http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/

http://www.verizonenterprise.com/resources/reports/rp_DBIR_2016_Report_en_xg.pdf

Audio/Video

Microsoft Virtual Academy: What’s New in PowerShell v5

Lee Holmes and Ryan Puffer demonstrate security and JEA in WMF 5

http://aka.ms/MVAps5

PowerShell Security at DerbyCon 2016
Great list of security conference session recordings on the current landscape of PowerShell security. Includes talks by Jeffrey Snover and Lee Holmes.
https://blogs.msdn.microsoft.com/powershell/2016/09/27/powershell-security-at-derbycon

Security Weekly 460: Interview with Lee Holmes

https://www.youtube.com/watch?v=tzcabAVuJFw

RunAs Radio Podcast #471: Just Enough Admin and Windows Server 2016 with Jeffrey Snover

http://www.runasradio.com/default.aspx?ShowNum=471&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+RunasRadio+%28RunAs+Radio+%28mp3%29%29

Microsoft Ignite 2015: JEA: A PowerShell Toolkit to Secure a Post-Snowden World

WMF 4.0 version of JEA. Now superseded by WMF 5.x.

https://channel9.msdn.com/events/Ignite/2015/BRK2470

PowerShell Summit 2015: Managing PowerShell in the Enterprise Using Group Policy

Overview of GPOs involved for securing PowerShell

https://blogs.technet.microsoft.com/ashleymcglone/2015/04/22/pshsummit-managing-powershell-in-the-enterprise-using-group-policy/

PowerShell Summit 2015: Defending the Defenders Pt 1

Lee Holmes and MVP Jeff Hicks

https://www.youtube.com/watch?v=2HBTj0WU5lY&list=PLfeA8kIs7CochwcgX9zOWxh4IL3GoG05P&index=16

PowerShell Summit 2015: Defending the Defenders Pt 2

Lee Holmes and MVP Jeff Hicks

https://www.youtube.com/watch?v=mua7DhxamHs&list=PLfeA8kIs7CochwcgX9zOWxh4IL3GoG05P&index=17

PowerShell Summit 2015: Keeping Secrets

MVP Dave Wyatt

https://www.youtube.com/watch?v=Ta2hQHVKauo&index=19&list=PLfeA8kIs7CochwcgX9zOWxh4IL3GoG05P

PowerShell Remoting Exposed: How To Command Your Minions

Review of PowerShell remoting security, including packet captures to demonstrate the encryption.

https://blogs.technet.microsoft.com/ashleymcglone/2011/04/18/powershell-remoting-exposed-how-to-command-your-minions/

Edit 4/17/2017: Added link to A Comparison of Shell and Scripting Language Security

Edit 6/29/2017: Added Remoting Exposed link. Added blog post link with sample scripts to the Managing PowerShell in the Enterprise with Group Policy.

Comments (5)

Cancel reply

  1. Mathu says:

    Hi, what about PS version 3, can we turn on script block logging?

  2. Hello Mathu,
    No. Script block logging is not available in WMF 3.0. You need at least WMF 4.0 with the KB mentioned above. Best case is to use WMF 5.x.
    Ashley

  3. Jorge Vilhena [MS] says:

    Great article once again. Some good and useful stuff. Keep it coming.

  4. Drew Burt says:

    Ashley thanks for keeping us updated.
    Cheers,
    Drew

Skip to main content