NSA Security Tips with PowerShell
PowerShell is a console interface that comes integrated with Windows. From there we can execute commands and carry out certain actions. For example, we can automate tasks or see certain information about the team. Now from the NSA, in its desire to make systems more protected, it has given a series of guidelines to use it and thus improve the security of Windows.
The US National Security Agency, along with other partner agencies, has indicated that PowerShell is used in many cases to launch cyber attacks. However, we can also use the built-in security capabilities to enhance our protection and make the system more secure.
One of the tips they give is protect powershell remoting, to prevent them from exposing credentials in plain text when running commands remotely on Windows hosts. They state that if administrators enable this feature on private networks, they automatically add a new rule in Windows Firewall that allows all connections.
Therefore, the Windows Firewall customization to allow connections only from trusted endpoints and networks helps reduce the chance of an attacker making a successful lateral move.
The NSA, in order to use remote connections, recommends using the secure shell protocol (SSH), compatible with PowerShell 7. This will provide greater security. This is so since remote connections do not need HTTPS with SSL certificates, or trusted hosts as would happen when making a remote connection through WinRM.
They also recommend reducing PowerShell operations with the help of AppLocker or Windows Defender Application Control so that you can configure the tool in CLM mode to prevent operations outside of administrator-defined policies.
Detect misuse with PowerShell
In addition, from the NSA they recommend log powershell activity in order to detect misuse. In this way we can monitor the records and find possible signs that something is wrong. They propose to activate different functions, such as DSBL and OTS, to improve security.
This will allow you to create a database of logs that can be used to search for activities in PowerShell that could be dangerous. Also, with OTS administrators will have a log of every PowerShell input or output to determine an attacker’s intentions.
In short, from the NSA they indicate that it is convenient to take into account PowerShell and its different uses. It is a tool that can be used by attackers to put security at risk, but it is also interesting in order to protect the system if we configure it correctly and ensure that it is protected. Using features like Windows Defender real-time protection is also helpful.
