Securing PowerShell in the Enterprise
Download ACSC Protect: Securing PowerShell in the Enterprise (PDF), March 2016
First published March 2016
Table of contents
- Security issues
- Maturity framework for PowerShell
- Recommended mitigations
- Script whitelisting
- Script execution policy
- PowerShell version
- Role-based application whitelisting
- Logging and analysis
- Prevent modification and enable auditing of configuration settings and transcripts
- Remoting configuration
- Constrained endpoints
- External references
- Appendix A: Maturity framework
- Appendix B: PowerShell script execution policy
- Appendix C: Configure PowerShell logging requirements
- Appendix D: Microsoft Windows security auditing
- Appendix E: Log analysis
- Appendix F: Lock down the registry and transcript directory
- Appendix G: Hardened WinRM configuration
- Appendix H: Constrained endpoints
- PowerShell is a powerful shell scripting language developed by Microsoft to provide an integrated interface for automated system administration. It is an important part of the system administration toolkit due to its ubiquity and the ease with which it can be used to fully control Microsoft Windows systems. However, it is also a dangerous post-exploitation tool in the hands of an adversary.
- This document, developed by the Australian Signals Directorate (ASD), describes a maturity framework for PowerShell in a way that balances the security and business requirements of organisations. This maturity framework will enable organisations to take incremental steps towards securing PowerShell across their environment.
- PowerShell is the latest in a line of Microsoft Windows command-line shells such as MS-DOS and cmd.exe. While Microsoft Windows has the cmd.exe console, its ability to execute actions is limited compared to the actions PowerShell is capable of.
- PowerShell is integrated with the .NET Framework and has full access to Component Object Model (COM) and Windows Management Instrumentation (WMI) functionality. Furthermore, it has full access to the Windows Application Programming Interface (WinAPI) via the .NET Framework. The default installation of PowerShell contains a large number of built-in cmdlets, which are small .NET programs that are accessed by PowerShell through simple commands. This provides a powerful and easy-to-use interface to the underlying system and allows for automation of a wide variety of tasks.
- PowerShell can be run locally or across the network through a feature known as Windows Remote Management (WinRM). To facilitate the use of WinRM, remote workstations and servers on which code is executed must have remoting enabled. Microsoft Windows Server 2012 and newer Microsoft Windows operating systems have remoting enabled by default.
The following external references provide additional details on securing PowerShell and associated components and may be of interest to the reader:
Organisations or individuals with questions regarding this advice can contact the ACSC by emailing firstname.lastname@example.org or calling 1300 CYBER1 (1300 292 371).