How to secure Powershell

30 March,2021 by Jack Vamvas

I use Powershell extensively in supporting SQL Server & other applications .Powershell  is a significant component of the Windows operating system. I won't go into detail but there is also the progress of Powershell Core - which is the multiplatform option

Recently there has been rising concern about fileless malware access exploiting Powershell . There are significant benefits in exploiting Powershell - one of the main reason being that Powershell allows a deep access to Windows core. The very aspect of Powershell which makes it so valuable and effective in managing SQL Server and other Windows services also potentially opens up exploit possibilities

 

What are some action to take in securing Powershell?

Use Powershell v5

-> Anti-Malware Scan Interface - (AMSI) - it's an interface where applications can scan script content for malicious intent. This allows sending specific data to AMSI functions to identify if its malicious or not. Specifically - when a Powershell process is created AMSI.DLL is loaded from local disk to its address space

There are ways around AMSI - but it offers a starting point 

With Windows 2016/2019 - Windows Defender can be installed as an added server feature:

                                Install-WindowsFeature-Name Windows-Server-Antimalware

                               --to display a list of cmdlets  in the Defender module

                                Get-Command -Module Defender

                                Get-MpPreference - gets the preferences for the Windows Scan Defender scans & updates

                                --check Windows Defender is running

                                Get-service Windefend

-> Script block logging - Logs the Powershell code, think of it as an audit trail . Enable by either a registry setting or Group Policy

->Use the Start-Transcript command \ cmdlet - This Powershell cmdlet creates a record of all of a Powershell session

->Constrained Language Mode - The purpose is to support daily administrative tasks but restrict access to more sensitive cmdlets.

None of these methods is foolproof and can be exploited. They have to be viewed within the context of an overall security policy.  Random access to underlying Windows APIs particuarly on critical database servers has the potential to disable an organisation.   There is a wider conversation required about the trust.

Zero trust is an idea increasingly getting traction - the idea that an organisation shouldn't automatically trust any entity inside or outside the organisation - and therefore everything must be verified prior to gaining access to a system

Read more on Powershell & Security

Powershell,PSEexec and lock pages in memory – made easy

Powershell - run script on all sql servers

 


Author: Jack Vamvas (http://www.sqlserver-dba.com)


Share:

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment on How to secure Powershell


sqlserver-dba.com | SQL Server Performance Tuning | SQL Server DBA:Everything | FAQ | Contact|Copyright & Disclaimer