DEF CON Windows Server admins keep making mistakes that let criminals into their boxes, according to Microsoft's lead security architect for Azure management Lee Holmes.
Redmond therefore wants you to harden up by using PowerShell's Just Enough Administration.
“In running Just Enough Administration, the idea is that admins are your attack surface and you can't treat them as buddies anymore,” he said. “We need admins but people make mistakes. Everything they can do an attacker can do as well, if you’re worried about PowerShell attacks you have to be worried about admins.”
The aim of the game is to slash administrator account use, and ensure users have only the privileges they need to do do their jobs. And lock down RDP and other remote administration access so they can't be reached from outside a trusted network. Such restrictions, Holmes argued, can dramatically reduce the attack surface available to hackers. This is where Just Enough Administration comes in, to cut back that surface.
When implementing Just Enough Administration, language modes can be a big issue, Holmes warned. NoLanguage mode is the only safe language mode, he said.
Holmes also warned of vulnerable functions as another big danger when implementing Just Enough Administration: tools like the Invoke-Expression cmdlet allow users to run arbitrary scripts on the local computer. The security implications of doing so are obvious, yet many users are offered privileges to use this powerful cmdlet.
“We’re releasing PowerShell injection hunter, which does all this [security checking] automatically,” Holmes said. “This will flag everything that you might be worried about and it has integration with Visual Studio code.”
Keep an eye on the official PowerShell blog for the injection hunter's release. ®