Securing PowerShell in the Enterprise
Download ACSC Protect: Securing PowerShell in the Enterprise (PDF), January 2019
First published 2016; updated January 2019
Table of contents
- Security issues
- Using PowerShell to administer your environment
- Maturity framework for PowerShell
- Recommended mitigations
- Script whitelisting
- Script execution policy
- PowerShell version
- Role-based application whitelisting
- Logging and analysis
- Prevent modification and enable auditing of configuration settings and transcripts
- Remoting configuration
- Constrained endpoints
- Further information
- Contact details
- Appendix A: Maturity framework
- Appendix B: PowerShell script execution policy
- Appendix C: Configure PowerShell logging requirements
- Appendix D: Microsoft Windows security auditing
- Appendix E: Log analysis
- Appendix F: Lock down the registry and transcript directory
- Appendix G: Hardened WinRM configuration
- Appendix H: Constrained endpoints
PowerShell is a powerful shell scripting language developed by Microsoft to provide an integrated interface for automated system administration. It is an important part of the system administration toolkit due to its ubiquity and the ease with which it can be used to fully control Microsoft Windows systems. However, it is also a dangerous post-exploitation tool in the hands of an adversary.
This document, developed by the Australian Signals Directorate (ASD), describes a maturity framework for PowerShell in a way that balances the security and business requirements of organisations. This maturity framework will enable organisations to take incremental steps towards securing PowerShell across their environment.
PowerShell is the latest in a line of Microsoft Windows command-line shells such as MS-DOS and cmd.exe. While Microsoft Windows has the cmd.exe console, its ability to execute actions is limited compared to the actions PowerShell is capable of.
PowerShell is integrated with the .NET Framework and has full access to Component Object Model (COM) and Windows Management Instrumentation (WMI) functionality. Furthermore, it has full access to the Windows Application Programming Interface (WinAPI) via the .NET Framework. The default installation of PowerShell contains a large number of built-in cmdlets, which are small .NET programs that are accessed by PowerShell through simple commands. This provides a powerful and easy-to-use interface to the underlying system and allows for automation of a wide variety of tasks.
PowerShell can be run locally or across the network through a feature known as Windows Remote Management (WinRM). To facilitate the use of WinRM, remote workstations and servers on which code is executed must have remoting enabled. Microsoft Windows Server 2012 and newer Microsoft Windows operating systems have remoting enabled by default.
Keep reading ACSC Protect: Securing PowerShell in the Enterprise (PDF).
The Australian Government Information Security Manual (ISM) assists in the protection of information that is processed, stored or communicated by organisations' systems.
The Strategies to Mitigate Cyber Security Incidents complement the advice in the ISM.
The following references provide additional details on securing PowerShell and associated components:
Organisations or individuals with questions regarding this advice can contact the ACSC by emailing firstname.lastname@example.org or calling 1300 CYBER1 (1300 292 371).
In August 2018 ACSC launched a new website, cyber.gov.au, to reflect its new organisation.
Cyber security programs and advice are being migrated to cyber.gov.au. Information and advice on this site remains current.
Reports help the ACSC to develop a better understanding of the threat environment and will assist other organisations who are also at risk.
Cyber security incident reports are also used in aggregate for developing new defensive policies, procedures, techniques and training measures to help prevent future incidents.