PowerShell has several features designed to improve the security of your scripting environment. This has been confirmed by Cybersecurity authorities from the United States, New Zealand, and the United Kingdom. A note from the agencies recommends proper configuration and monitoring of PowerShell, as opposed to removing or disabling the tool completely.
PowerShell plays an important role in keeping Windows systems secure
In a Cybersecurity Information Sheet, the agencies from different countries outline the importance of using PowerShell to counter abuses by cybercriminals. These agencies also recommend users to use the most recent versions of PowerShell as they are equipped with improved capabilities and options that can assist defenders in countering abuse of PowerShell.
The tool by Microsoft uses Windows Remote Management (WinRM) as the underlying protocol and relies on Kerberos or New Technology LAN Manager (NTLM) authentication protocols. Such authentication protocols do not send the actual credentials to remote hosts. As such, they avoid direct exposure of credentials and the risk of theft through revealed credentials.
Second, PowerShell permits remote connections over Secure Shell (SSH) in addition to supporting WinRM connections. This allows for public key authentication and makes remote management through PowerShell of machines convenient and secure.
Similarly, continuous monitoring of PowerShell logs can detect and alert on potential abuses. Some of the tool’s services like Deep Script Block Logging are disabled by default. You’ll need to enable it to record each PowerShell command in the Windows Event Log and analyze them thoroughly.
In all, PowerShell is an essential tool to secure the Windows operating system. Removing or restricting it will not help administrators and defenders in any way from utilizing its capabilities to assist with system maintenance, automation, and security operations. Thus, it is advisable to adopt and configure it properly to manage administrative abilities and enable proper security measures.
Download the PDF guide by visiting defense.gov.