This publication provides guidance on how to secure the use of PowerShell functionality in Microsoft Windows in support of secure administration activities for a Microsoft Windows-based environment within an organisation.
First published 2016; updated January and March 2019
Table of contents
- Security issues
- Using PowerShell to administer your environment
- Maturity framework for PowerShell
- Recommended mitigations
- Script whitelisting
- Script execution policy
- PowerShell version
- Role-based application whitelisting
- Logging and analysis
- Prevent modification and enable auditing of configuration settings and transcripts
- Remoting configuration
- Constrained endpoints
- Further information
- Contact details
- Appendix A: Maturity framework
- Appendix B: PowerShell script execution policy
- Appendix C: Configure PowerShell logging requirements
- Appendix D: Microsoft Windows security auditing
- Appendix E: Log analysis
- Appendix F: Lock down the registry and transcript directory
- Appendix G: Hardened WinRM configuration
- Appendix H: Constrained endpoints
PowerShell is a powerful shell scripting language developed by Microsoft to provide an integrated interface for automated system administration. It is an important part of the system administration toolkit due to its ubiquity and the ease with which it can be used to fully control Microsoft Windows systems. However, it is also a dangerous post-exploitation tool in the hands of an adversary.
This document describes a maturity framework for PowerShell in a way that balances the security and business requirements of organisations. This maturity framework will enable organisations to take incremental steps towards securing PowerShell across their environment.
PowerShell is the latest in a line of Microsoft Windows command-line shells such as MS-DOS and cmd.exe. While Microsoft Windows has the cmd.exe console, its ability to execute actions is limited compared to the actions PowerShell is capable of.
PowerShell is integrated with the .NET Framework and has full access to Component Object Model (COM) and Windows Management Instrumentation (WMI) functionality. Furthermore, it has full access to the Windows Application Programming Interface (WinAPI) via the .NET Framework. The default installation of PowerShell contains a large number of built-in cmdlets, which are small .NET programs that are accessed by PowerShell through simple commands. This provides a powerful and easy-to-use interface to the underlying system and allows for automation of a wide variety of tasks.
PowerShell can be run locally or across the network through a feature known as Windows Remote Management (WinRM). To facilitate the use of WinRM, remote workstations and servers on which code is executed must have remoting enabled. Microsoft Windows Server 2012 and newer Microsoft Windows operating systems have remoting enabled by default.
The Australian Government Information Security Manual (ISM) assists in the protection of information that is processed, stored or communicated by organisations' systems.
The Strategies to Mitigate Cyber Security Incidents complement the advice in the ISM.
The following references provide additional details on securing PowerShell and associated components:
Organisations or individuals with questions regarding this advice can contact the ACSC by emailing firstname.lastname@example.org or calling 1300 CYBER1 (1300 292 371).