iTnews Asia
  • Home
  • News
  • Security

Don't remove PowerShell: US, UK and NZ security agencies

Don't remove PowerShell: US, UK and NZ security agencies

Powerful command line interface essential to securing Windows.

By Juha Saarinen on Jun 27, 2022 11:49AM

Government cyber security agencies in the UK, US and New Zealand are telling systems admins to configure PowerShell properly - but not to follow a rising trend of disabling it.

The agencies published a joint advisory saying the command line interface that ships with Windows is a powerful tool to defend systems, if it's configured and monitored properly.

PowerShell is a CLI with scripting language support, similar to shells shipped with UNIX and UNIX-like operating systems, and can be used to execute code and systems administration.

However, PowerShell's extensive capabilities have been abused by threat actors for ransomware attacks and network reconnaissance.

That has led some administrators to block PowerShell, but this could get in the way of the defensive capabilities it can provide, and even prevent parts of Windows from running properly.

Now, the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), the New Zealand National Cyber Security Centre (NZ NCSC), and the United Kingdom National Cyber Security Centre (NCSC-UK) have summarised a range of measures to secure PowerShell.

The joint advisory [pdf] suggests administrators protect login credentials when accessing PowerShell on Windows hosts over networks, and set up Windows firewall rules to control permitted remote connections.

Later versions of PowerShell come with an extensive range of security features, such as the antimalware scan interface (AMSI) integration, which allows anti-virus products to scan memory and files for potentially malicious content.

AppLocker and Windows Defender Application Control (WDAC) can enhance security by setting PowerShell in Constrained Language Mode which restricts operations unless allowed by administrator policies.

Monitoring PowerShell can be done with Deep Script Block Logging (DSBL), transcription of activities in the CLI, and logging for modules.

It should be noted that older versions of PowerShell do not support the full set of security and logging features, which is available in version 7 on Windows 10 and 11.

 

To reach the editorial team on your feedback, story ideas and pitches, contact them here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
acsc australia azure cisa gcsb microsoft ncsc new zealand nsa powershell scripting security software united kingdom united states windows

Related Articles

  • Identity is now the new cybersecurity battlefield
  • Why APAC organisations must rethink their cloud and AI security
  • Why is fragmentation the next big cybersecurity risk?
  • The maritime sector is now in the crosshairs of cybercriminals
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Identity is now the new cybersecurity battlefield

Identity is now the new cybersecurity battlefield
Why APAC organisations must rethink their cloud and AI security

Why APAC organisations must rethink their cloud and AI security
Tips on how to harness AI to transform your DDoS protection into proactive cyber defence

Tips on how to harness AI to transform your DDoS protection into proactive cyber defence
Malaysia's Maxis Berhad investigates claims on alleged data breach

Malaysia's Maxis Berhad investigates claims on alleged data breach
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of Lighthouse Independent Media's Privacy Policy and Terms & Conditions.