Who's afraid of PowerShell security?
Does your organization forbid the use of PowerShell remoting? Has InfoSec blocked remote server administration with PowerShell? Do you want to understand PowerShell security better? This post is for you.
Notes from the field…
As a Premier Field Engineer I have delivered PowerShell engagements to countless companies and teams. Over the years I have consistently received questions around PowerShell remoting security. More recently I have worked with multiple customers who had been tasked with restricting PowerShell capabilities in their environment. The conversation usually starts with one of these lines:
- “InfoSec will not let us turn on PowerShell remoting.”
- “Our last audit said that PowerShell needs to be locked down on all servers.”
- “The CIO went to a security conference and then banned PowerShell from the environment.”
Now, be aware that these same companies will leave any one or more of these remote management ports open:
- Remote Desktop Protocol (RDP)
- Remote WMI access over RPC, clear text by default, random ports
- Remote event log management
- Remote service management
- SMB file share access
But they are afraid of:
- PowerShell remoting, always encrypted, single port 5985 or 5986, does all of the above
Here are the key points for a PowerShell security conversation:
- PowerShell is a neutral administration tool, not a vulnerability.
- PowerShell remoting respects all Windows authentication and authorization protocols. It requires local Administrators group membership by default.
- Hackers use PowerShell for the same reasons you do… because it is more convenient than twenty years of other popular command line tools.
The improvements in WMF 5.0 (or WMF 4.0 with KB3000850) make PowerShell the worst tool of choice for a hacker when you enable script block logging and system-wide transcription. Hackers will leave fingerprints everywhere, unlike popular CMD utilities. For this reason, PowerShell should be the only tool you allow for remote administration. These features allow you to answer the classic questions who, what, when, where, and how for activities on your servers.
The links below provide documentation and training from Microsoft and other industry sources around securing PowerShell in the enterprise and enabling these key points above. Focus especially on the highlighted ones and anything from Lee Holmes.
Download PowerShell WMF 5.0
Leverage all of the new security features in WMF 5.0.
PowerShell Remoting Security Considerations
New security documentation from the PowerShell team. This is a start, and it will continue to be updated. Give this link to your InfoSec people who need more information. https://msdn.microsoft.com/en-us/powershell/scripting/setup/winrmsecurity
PowerShell ♥ the Blue Team
Whitepaper by Lee Holmes “Scripting Security and Protection Advances in Windows 10” (PowerShell 5).
Give this to your InfoSec people, your manager, and your grandmother. Then implement it. https://blogs.msdn.microsoft.com/powershell/2015/06/09/powershell-the-blue-team/
A Comparison of Shell and Scripting Language Security
a deep comparative analysis on security between available shells and scripting languages https://blogs.msdn.microsoft.com/powershell/2017/04/10/a-comparison-of-shell-and-scripting-language-security/
Just Enough Administration
JEA is how you restrict capabilities of remote PowerShell sessions. This is huge for securing your environment and a major thrust in Windows Server 2016 (available down level with WMF 5.0). https://msdn.microsoft.com/powershell/jea/readme
Introducing the updated JEA Helper Tool https://blogs.technet.microsoft.com/privatecloud/2015/12/20/introducing-the-updated-jea-helper-tool/
Windows Event Forwarding guidance http://aka.ms/wef
Maslow’s Hierarchy of Security Controls http://www.leeholmes.com/blog/2014/12/08/maslows-hierarchy-of-security-controls/
Use Windows Event Forwarding to help with intrusion detection
An operational guide for implementing WEF based on the experience of Microsoft IT in a large-scale environment
The Underhanded PowerShell Contest
Microsoft’s community effort to identify and defend against malicious PowerShell code.
Follow Lee Holmes on Twitter
PowerShell team security lead, Microsoft Lead Security Architect for Enterprise Cloud Group & Azure Stack. Constant stream of relevant info and links.
PowerShell Remoting Exposed
An article that includes network traces comparing WMI, RPC, and WINRM/WSMAN PowerShell remoting protocols on the wire. It also includes a list of PowerShell help topics for more information.
eBook: Secrets of PowerShell Remoting https://powershell.org/ebooks/
NSA: Spotting the Adversary with Windows Event Log Monitoring https://www.nsa.gov/ia/_files/app/spotting_the_adversary_with_windows_event_log_monitoring.pdf
Securing PowerShell in the Enterprise
Information security advice for all levels of government
Australian Signals Directorate, Australian Government Department of Defence
FireEye: Investigating PowerShell Attacks (BlackHat USA 2014) https://www.fireeye.com/content/dam/fireeye-www/global/en/solutions/pdfs/wp-lazanciyan-investigating-powershell-attacks.pdf
Verizon 2016 Data Breach Investigations Report
Not PowerShell-specific, but good insight to breach techniques.
Microsoft Virtual Academy: What’s New in PowerShell v5
Lee Holmes and Ryan Puffer demonstrate security and JEA in WMF 5 http://aka.ms/MVAps5
PowerShell Security at DerbyCon 2016
Great list of security conference session recordings on the current landscape of PowerShell security. Includes talks by Jeffrey Snover and Lee Holmes.
Security Weekly 460: Interview with Lee Holmes https://www.youtube.com/watch?v=tzcabAVuJFw
RunAs Radio Podcast #471: Just Enough Admin and Windows Server 2016 with Jeffrey Snover http://www.runasradio.com/default.aspx?ShowNum=471&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+RunasRadio+%28RunAs+Radio+%28mp3%29%29
Microsoft Ignite 2015: JEA: A PowerShell Toolkit to Secure a Post-Snowden World
WMF 4.0 version of JEA. Now superseded by WMF 5.x. https://channel9.msdn.com/events/Ignite/2015/BRK2470
PowerShell Summit 2015: Managing PowerShell in the Enterprise Using Group Policy
Overview of GPOs involved for securing PowerShell https://blogs.technet.microsoft.com/ashleymcglone/2015/04/22/pshsummit-managing-powershell-in-the-enterprise-using-group-policy/
PowerShell Summit 2015: Defending the Defenders Pt 1
Lee Holmes and MVP Jeff Hicks
PowerShell Summit 2015: Defending the Defenders Pt 2
Lee Holmes and MVP Jeff Hicks
PowerShell Summit 2015: Keeping Secrets
MVP Dave Wyatt
PowerShell Remoting Exposed: How To Command Your Minions
Review of PowerShell remoting security, including packet captures to demonstrate the encryption.
Edit 4/17/2017: Added link to A Comparison of Shell and Scripting Language Security
Edit 6/29/2017: Added Remoting Exposed link. Added blog post link with sample scripts to the Managing PowerShell in the Enterprise with Group Policy.