ACSC programs and advice are being migrated to cyber.gov.au (see sidebar)

Securing PowerShell in the Enterprise

Download ACSC Protect: Securing PowerShell in the Enterprise (PDF), March 2016
First published March 2016

Table of contents

  • Introduction
  • Background
  • Security issues
  • Maturity framework for PowerShell
  • Recommended mitigations
    • Script whitelisting
    • Script execution policy
    • PowerShell version
    • Role-based application whitelisting
    • Logging and analysis
    • Prevent modification and enable auditing of configuration settings and transcripts
    • Remoting configuration
    • Constrained endpoints
  • External references
  • Contact
  • Appendix A: Maturity framework
  • Appendix B: PowerShell script execution policy
  • Appendix C: Configure PowerShell logging requirements
  • Appendix D: Microsoft Windows security auditing
  • Appendix E: Log analysis
  • Appendix F: Lock down the registry and transcript directory
  • Appendix G: Hardened WinRM configuration
  • Appendix H: Constrained endpoints

Introduction

  1. PowerShell is a powerful shell scripting language developed by Microsoft to provide an integrated interface for automated system administration. It is an important part of the system administration toolkit due to its ubiquity and the ease with which it can be used to fully control Microsoft Windows systems. However, it is also a dangerous post-exploitation tool in the hands of an adversary.
  2. This document, developed by the Australian Signals Directorate (ASD), describes a maturity framework for PowerShell in a way that balances the security and business requirements of organisations. This maturity framework will enable organisations to take incremental steps towards securing PowerShell across their environment.

Background

  1. PowerShell is the latest in a line of Microsoft Windows command-line shells such as MS-DOS and cmd.exe. While Microsoft Windows has the cmd.exe console, its ability to execute actions is limited compared to the actions PowerShell is capable of.
  2. PowerShell is integrated with the .NET Framework and has full access to Component Object Model (COM) and Windows Management Instrumentation (WMI) functionality. Furthermore, it has full access to the Windows Application Programming Interface (WinAPI) via the .NET Framework. The default installation of PowerShell contains a large number of built-in cmdlets, which are small .NET programs that are accessed by PowerShell through simple commands. This provides a powerful and easy-to-use interface to the underlying system and allows for automation of a wide variety of tasks.
  3. PowerShell can be run locally or across the network through a feature known as Windows Remote Management (WinRM). To facilitate the use of WinRM, remote workstations and servers on which code is executed must have remoting enabled. Microsoft Windows Server 2012 and newer Microsoft Windows operating systems have remoting enabled by default.

Keep reading ACSC Protect: Securing PowerShell in the Enterprise (PDF).

External references

The following external references provide additional details on securing PowerShell and associated components and may be of interest to the reader:

Contact details

Organisations or individuals with questions regarding this advice can contact the ACSC by emailing asd.assist@defence.gov.au or calling 1300 CYBER1 (1300 292 371).

In August 2018 ACSC launched a new website, cyber.gov.au, to reflect its new organisation.

Cyber security programs and advice are being migrated to cyber.gov.au. Information and advice on this site remains current.

Reports help the ACSC to develop a better understanding of the threat environment and will assist other organisations who are also at risk.

Cyber security incident reports are also used in aggregate for developing new defensive policies, procedures, techniques and training measures to help prevent future incidents.

Information for Australian businesses
Information for individual Australian citizens
Information for Federal, State and Local government agencies