CISA, NSA and Other Agencies Recommend Hardening PowerShell

Government cybersecurity organizations on Tuesday announced guidelines for using Microsoft's built-in PowerShell scripting language with Windows, without having it also be leveraged by attackers.

The newly released joint "Cybersecurity Information Sheet" on PowerShell (PDF) was put together by "cybersecurity authorities from the United States, New Zealand and the United Kingdom." Participants on the U.S. side included the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA).

The agencies noted that "malicious actors" use PowerShell for their attacks after first gaining network access. However, the authors stopped short of suggesting that organizations remove it. PowerShell has "defensive capabilities," too, they noted. Also, blocking PowerShell "prevents components of the Windows operating system from running properly."

Organizations, though, should uninstall PowerShell version 2 because it has security holes. More recent PowerShell versions, beginning with PowerShell version 5, have "prevention, detection and authentication capabilities" that are useful for defenders.

The security "hardening" technologies to use in conjunction with PowerShell include:

The authors concluded that "PowerShell is essential" to secure the Windows operating systems, and is OK to use after the problems in version 2 were addressed. PowerShell shouldn't be removed, but organizations should harden it, where possible.

Particularly on the logging and detection side, IT pros may need to take some actions to optimally secure PowerShell because they aren't enabled by default.

"Deep Script Block Logging, Module Logging, and Over-the-Shoulder transcription are disabled by default," the guide explained. "The authors recommend enabling the capabilities where feasible."

The agencies recommendations were just intended to apply to organizations running Windows, and not to Linux and macOS environments, according to a footnote in the report.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


comments powered by Disqus

Subscribe on YouTube