iTnews Asia
  • Home
  • News
  • Security

Don't remove PowerShell: US, UK and NZ security agencies

Don't remove PowerShell: US, UK and NZ security agencies

Powerful command line interface essential to securing Windows.

By Juha Saarinen on Jun 27, 2022 11:49AM

Government cyber security agencies in the UK, US and New Zealand are telling systems admins to configure PowerShell properly - but not to follow a rising trend of disabling it.

The agencies published a joint advisory saying the command line interface that ships with Windows is a powerful tool to defend systems, if it's configured and monitored properly.

PowerShell is a CLI with scripting language support, similar to shells shipped with UNIX and UNIX-like operating systems, and can be used to execute code and systems administration.

However, PowerShell's extensive capabilities have been abused by threat actors for ransomware attacks and network reconnaissance.

That has led some administrators to block PowerShell, but this could get in the way of the defensive capabilities it can provide, and even prevent parts of Windows from running properly.

Now, the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), the New Zealand National Cyber Security Centre (NZ NCSC), and the United Kingdom National Cyber Security Centre (NCSC-UK) have summarised a range of measures to secure PowerShell.

The joint advisory [pdf] suggests administrators protect login credentials when accessing PowerShell on Windows hosts over networks, and set up Windows firewall rules to control permitted remote connections.

Later versions of PowerShell come with an extensive range of security features, such as the antimalware scan interface (AMSI) integration, which allows anti-virus products to scan memory and files for potentially malicious content.

AppLocker and Windows Defender Application Control (WDAC) can enhance security by setting PowerShell in Constrained Language Mode which restricts operations unless allowed by administrator policies.

Monitoring PowerShell can be done with Deep Script Block Logging (DSBL), transcription of activities in the CLI, and logging for modules.

It should be noted that older versions of PowerShell do not support the full set of security and logging features, which is available in version 7 on Windows 10 and 11.

 

To reach the editorial team on your feedback, story ideas and pitches, contact them here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
acsc australia azure cisa gcsb microsoft ncsc new zealand nsa powershell scripting security software united kingdom united states windows

Related Articles

  • Ransomware gang Qilin claims attack on Japan’s Asahi breweries
  • IMDA and Enterprise Singapore launch SME-focused cybersecurity initiative
  • Cyberthreats are now targeting critical infrastructure on a larger scale
  • Gemini vulnerabilities threaten potential exposure of user data
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

IMDA and Enterprise Singapore launch SME-focused cybersecurity initiative

IMDA and Enterprise Singapore launch SME-focused cybersecurity initiative
Cyberthreats are now targeting critical infrastructure on a larger scale

Cyberthreats are now targeting critical infrastructure on a larger scale
Ransomware gang Qilin claims attack on Japan’s Asahi breweries

Ransomware gang Qilin claims attack on Japan’s Asahi breweries
Gemini vulnerabilities threaten potential exposure of user data

Gemini vulnerabilities threaten potential exposure of user data
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of Lighthouse Independent Media's Privacy Policy and Terms & Conditions.