Don't ditch PowerShell to improve security, say infosec agencies from UK, US, and NZ
Use it sensibly instead – which means turning on the useful bits Microsoft doesn't enable by default
Windows PowerShell is enormously useful, extremely prevalent, and often targeted by crooks because it offers an express route into the heart of Windows servers and networks.
Some have therefore suggested the tool is a liability that should be disabled in the interest of improved security.
But on Wednesday national cybersecurity agencies from the US, UK, and New Zealand decided that's a bit drastic. Instead, the agencies recommend securing PowerShell prudently.
"PowerShell is essential to secure the Windows operating system," the agencies argue. "Removing or improperly restricting PowerShell would prevent administrators and defenders from utilizing PowerShell to assist with system maintenance, forensics, automation, and security."
That opinion was offered in a Cybersecurity Information Sheet [PDF] titled "Keeping PowerShell: Security Measures to Use and Embrace" that argues the security benefits of properly-protected PowerShell outweigh the risks it causes.
The document's first recommendation is ensuring use of PowerShell 7.2, because it improves on the previous version 5.x that shipped with some editions of Windows 10.
- Jeffrey Snover claims Microsoft demoted him for inventing PowerShell
- Expired cert breaks Windows 11 snipping tool, emoji panel, S Mode features, other stuff
- Microsoft emits more Win 11 fixes for AMD speed issues and death by PowerShell bug
Another piece of advice is to allow PowerShell remoting only from trusted endpoints and networks because Microsoft's defaults are a little loose.
The document also points out that not all anti-virus software is aware of Windows 10's Antimalware Scan Interface (AMSI), which PowerShell uses so it can scan scripts. Using AMSI-aware AV is therefore sensible.
Other recommendations include:
- Using PowerShell's credential protection features during remote sessions because they work as advertised and ensure creds can't be accessed on remote hosts;
- Enabling Deep Script Block Logging, Module Logging, and Over-the-Shoulder – three useful logging tools that can help to detect abuses of PowerShell. Microsoft does not enable the three by default;
- Use SSH when remoting, because it's … secure by design.
"These recommendations will help defenders detect and prevent abuse by malicious cyber actors, while enabling legitimate use by administrators and defenders," the document concludes.
The document was penned by US's National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA), the New Zealand National Cyber Security Centre (NZ NCSC), and the UK's National Cyber Security Centre (NCSC-UK). ®