NSA Shares Tips On Securing Windows Devices With PowerShell
Friday June 24, 2022. 05:30 AM , from Slashdot
Reducing the risk of threat actors abusing PowerShell requires leveraging capabilities in the framework such as PowerShell remoting, which does not expose plain-text credentials when executing commands remotely on Windows hosts. Administrators should be aware that enabling this feature on private networks automatically adds a new rule in Windows Firewall that permits all connections. Customizing Windows Firewall to allow connections only from trusted endpoints and networks helps reduce an attacker's chance for successful lateral movement. For remote connections, the agencies advise using the Secure Shell protocol (SSH), supported in PowerShell 7, to add the convenience and security of public-key authentication:
- remote connections don't need HTTPS with SSL certificates - no need for Trusted Hosts, as required when remoting over WinRM outside a domain - secure remote management over SSH without a password for all commands and connections - PowerShell remoting between Windows and Linux hosts
Another recommendation is to reduce PowerShell operations with the help of AppLocker or Windows Defender Application Control (WDAC) to set the tool to function in Constrained Language Mode (CLM), thus denying operations outside the policies defined by the administrator. Recording PowerShell activity and monitoring the logs are two recommendations that could help administrators find signs of potential abuse. The NSA and its partners propose turning on features like Deep Script Block Logging (DSBL), Module Logging, and Over-the-Shoulder transcription (OTS). The first two enable building a comprehensive database of logs that can be used to look for suspicious or malicious PowerShell activity, including hidden action and the commands and scripts used in the process. With OTS, administrators get records of every PowerShell input or output, which could help determine an attacker's intentions in the environment. The full document, titled 'Keeping PowerShell: Security Measures to Use and Embrace' is available here (PDF).
Read more of this story at Slashdot.
Jul, Tue 5 - 11:28 CEST