Government cyber security agencies in the UK, US and New Zealand are telling systems admins to configure PowerShell properly – but not to follow a rising trend of disabling it.
The agencies published a joint advisory saying the command line interface that ships with Windows is a powerful tool to defend systems, if it’s configured and monitored properly.
PowerShell is a CLI with scripting language support, similar to shells shipped with UNIX and UNIX-like operating systems, and can be used to execute code and systems administration.
However, PowerShell’s extensive capabilities have been abused by threat actors for ransomware attacks and network reconnaissance.
That has led some administrators to block PowerShell, but this could get in the way of the defensive capabilities it can provide, and even prevent parts of Windows from running properly.
Now, the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), the New Zealand National Cyber Security Centre (NZ NCSC), and the United Kingdom National Cyber Security Centre (NCSC-UK) have summarised a range of measures to secure PowerShell.
The joint advisory [pdf] suggests administrators protect login credentials when accessing PowerShell on Windows hosts over networks, and set up Windows firewall rules to control permitted remote connections.
Later versions of PowerShell come with an extensive range of security features, such as the antimalware scan interface (AMSI) integration, which allows anti-virus products to scan memory and files for potentially malicious content.
AppLocker and Windows Defender Application Control (WDAC) can enhance security by setting PowerShell in Constrained Language Mode which restricts operations unless allowed by administrator policies.
Monitoring PowerShell can be done with Deep Script Block Logging (DSBL), transcription of activities in the CLI, and logging for modules.
It should be noted that older versions of PowerShell do not support the full set of security and logging features, which is available in version 7 on Windows 10 and 11.