Cybersecurity authorities in the United States, United Kingdom, and New Zealand have advised businesses and government agencies to properly configure Microsoft’s built-in Windows command-line tool, PowerShell, but not to remove it.
Defenders should not disable PowerShell, a scripting language, as it is a useful command-line interface for Windows that can help with forensics, incident response, and automation of office tasks , according to joint advice from the US spy service of the National Security Agency (NSA). ), the US Cybersecurity and Infrastructure Security Agency (CISA), and the New Zealand and UK National Cybersecurity Centers.
It also allows administrators to automate security tasks on Microsoft’s Azure cloud platform. Users can, for example, write PowerShell commands to manage Microsoft Defender Antivirus on Windows 10 and Windows 11.
SEE: Cloud computing dominates. But security is now the biggest challenge
But PowerShell’s flexibility also made it accessible to attackers who used it to remotely compromise Windows devices and even Linux systems.
So what should defenders do? Remove PowerShell? Blocked the? Or just configure it?
“Cybersecurity authorities in the United States, New Zealand, and the United Kingdom recommend proper configuration and monitoring of PowerShell, as opposed to removing or completely disabling PowerShell,” the agencies say.
“This will provide benefits of the security capabilities PowerShell can enable while reducing the likelihood of malicious actors using it undetected after gaining access to victim networks.”
PowerShell’s extensibility and the fact that it comes with Windows 10 and 11 gives attackers a way to abuse the tool. This usually happens after an attacker gains access to a victim’s network through Windows or other software vulnerabilities.
But PowerShell attacks have caused some administrators to remove it from devices and that’s a bad idea, according to the NSA.
“This has prompted some net advocates to disable or remove the Windows tool. The NSA and its partners advise against doing so,” the NSA said.
As the US Department of Defense notes, blocking PowerShell hampers the defensive capabilities that current versions of PowerShell can provide and prevents Windows components from working properly.
The guidance aligns with Microsoft guidance on using PowerShell and guidance for administrators to protect against PowerShell attacks. Microsoft in 2020 acknowledged that “PowerShell is used by both commodity malware and attackers”.
“PowerShell is – by far – the most secure and security-transparent shell, scripting language, or programming language,” Microsoft said in a 2020 blog post.
The New Zealand National Cyber Security Center summarizes the benefits of using PowerShell:
- Protecting Credentials During PowerShell Remoting
- PowerShell Remoting Network Protection
- Anti-Malware Analysis Interface (AMSI) integration
- Constrained PowerShell with Application Control
PowerShell also enables remote administration features that use Kerberos or New Technology LAN Manager (NTLM) protocols. Kerberos is the primary framework for on-premises Active Directory (AD), Microsoft’s identity service, and is the successor to NTLM, which was implemented in Windows 2000.
Microsoft released PowerShell 7 in 2020, but version 5.1 comes with Windows 10 and above. The latest version is 7.2, which includes new security measures like prevention, detection and authentication.
The authorities recommend “explicitly disabling and uninstalling” PowerShell 5.1, but they don’t make any recommendations for using versions of PowerShell with Linux and macOS.
SEE: Why cloud security matters and why you can’t ignore it
They also offer guidance for network protection, AMSI, and AppLocker/Windows Defender Application Control (WDAC) configuration for PowerShell configuration to prevent attackers from taking full control of PowerShell sessions.
The agencies highlight features available in the latest versions of PowerShell, such as deep script block logging, over-the-shoulder transcription, authentication procedures, and remote access via Secure Shell (SSH ).
“PowerShell is essential for securing the Windows operating system, especially since newer versions have addressed previous limitations and issues through updates and enhancements,” the NSA says.
“Removing or inappropriately restricting PowerShell would prevent administrators and defenders from using PowerShell to assist with system maintenance, forensics, automation, and security. PowerShell, along with its administrative capabilities and metrics safety, must be properly managed and adopted.”