iTnews Asia
  • Home
  • News
  • Security

Don't remove PowerShell: US, UK and NZ security agencies

Don't remove PowerShell: US, UK and NZ security agencies

Powerful command line interface essential to securing Windows.

By Juha Saarinen on Jun 27, 2022 11:49AM

Government cyber security agencies in the UK, US and New Zealand are telling systems admins to configure PowerShell properly - but not to follow a rising trend of disabling it.

The agencies published a joint advisory saying the command line interface that ships with Windows is a powerful tool to defend systems, if it's configured and monitored properly.

PowerShell is a CLI with scripting language support, similar to shells shipped with UNIX and UNIX-like operating systems, and can be used to execute code and systems administration.

However, PowerShell's extensive capabilities have been abused by threat actors for ransomware attacks and network reconnaissance.

That has led some administrators to block PowerShell, but this could get in the way of the defensive capabilities it can provide, and even prevent parts of Windows from running properly.

Now, the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), the New Zealand National Cyber Security Centre (NZ NCSC), and the United Kingdom National Cyber Security Centre (NCSC-UK) have summarised a range of measures to secure PowerShell.

The joint advisory [pdf] suggests administrators protect login credentials when accessing PowerShell on Windows hosts over networks, and set up Windows firewall rules to control permitted remote connections.

Later versions of PowerShell come with an extensive range of security features, such as the antimalware scan interface (AMSI) integration, which allows anti-virus products to scan memory and files for potentially malicious content.

AppLocker and Windows Defender Application Control (WDAC) can enhance security by setting PowerShell in Constrained Language Mode which restricts operations unless allowed by administrator policies.

Monitoring PowerShell can be done with Deep Script Block Logging (DSBL), transcription of activities in the CLI, and logging for modules.

It should be noted that older versions of PowerShell do not support the full set of security and logging features, which is available in version 7 on Windows 10 and 11.

 

To reach the editorial team on your feedback, story ideas and pitches, contact them here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
acsc australia azure cisa gcsb microsoft ncsc new zealand nsa powershell scripting security software united kingdom united states windows

Related Articles

  • Beware the rise of ‘vishing’ as a cyber threat in APAC
  • Proofpoint CEO: A tool-based approach for cybersecurity is impractical
  • Akamai: AI-security is both a security imperative and an economic necessity
  • The real-life Tom & Jerry chase
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Beware the rise of ‘vishing’ as a cyber threat in APAC

Beware the rise of ‘vishing’ as a cyber threat in APAC
Proofpoint CEO: A tool-based approach for cybersecurity is impractical

Proofpoint CEO: A tool-based approach for cybersecurity is impractical
Akamai: AI-security is both a security imperative and an economic necessity

Akamai: AI-security is both a security imperative and an economic necessity
PhilHealth estimates 13 to 20 million members affected by data breach

PhilHealth estimates 13 to 20 million members affected by data breach
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of Lighthouse Independent Media's Privacy Policy and Terms & Conditions.