There are many benefits to using Windows PowerShell over the more popular command line. But using PowerShell without digitally signing scripts can leave you vulnerable to attacks.
This post explains the importance of PowerShell script signatures and mentions some best practices to keep scripts secure.
What is Windows PowerShell?
Windows PowerShell was designed to replace the command line. Like the command line, PowerShell uses a command line environment that provides access to services on your operating system.
While command line commands still work in PowerShell, PowerShell can perform more complex operations, such as batch renaming files in the same folder.
PowerShell is based on the .NET platform. It is compatible with Windows, macOS and Linux.
Where to find PowerShell in Windows 10
The fastest way to access Windows PowerShell is to use the Run function. Select Run (Windows + R) and enter PowerShell. This should start Windows PowerShell.
You can also go to Start and search for PowerShell. The program should appear as one of the proposals. Click it to run, or right-click and then select Run as administrator to make administrator-level changes.
What is a PowerShell script?
PowerShell scripts enable system administrators to run commands that enable them to manage operating systems through command lines. PowerShell refers to these commands as cmdlets. While the cmdlets may be confusing for non-professionals, administrators find them easier to use than the old standard.
You can use Notepad to write scripts and save them with the .ps1 file extension so that they are recognized as PowerShell scripts.
For security reasons, files saved with this extension cannot be launched by double-clicking.
Why sign a script?
Signing your scripts will do two things. First, it will confirm that the people using the script are also the authors of the script. Secondly, he will make sure that the scripts are not changed in any way.
Group Policy
Group Policy will be assigned to the system. This will affect how your system handles scripts that run on your computer.
- Restricted – scripts will not be executed. This is the default setting.
- RemoteSigned – You can run scripts created by you or by trusted publishers.
- AllSigned – Any script created locally or downloaded can run as long as it is digitally signed.
- Unlimited – run any script after confirmation.
- Bypass – run any script without confirmation.
You can change the policy using the Set-ExecutionPolicy command.
SET-EXECUTIONPOLICY -EXECUTIONPOLICY -SCOPE
If you replace with one of the Group Policy values ??and is replaced with one of the following:
- Process – Only affects the current PowerShell session.
- CurrentUser – the change will affect only the current user.
- LocalMachine – all changes made will affect all users of the computer.
For example, if you need a RemoteSigned policy that enforces the policy for all users, you should use this command:
SET-EXECUTIONPOLICY -EXECUTIONPOLICY REMOTESIGNED -SCOPE LOCALMACHINE
PowerShell Best Practices
Chances are, you won’t be able to disable PowerShell for practical reasons. But there are things you can do to prevent an attack on your system.
Use PowerShell Restricted Language Mode
Restricted Language Mode removes support for advanced features such as .NET and Windows API calls. PowerShell attack tools rely on these features, so a lack of support could halt any attack.
To enable PowerShell using Group Policy, open Group Policy and select Computer Configuration Settings Windows Settings Environment.
Use PowerShell v.5 with Applocker and Device Guard
Version 5 of PowerShell has built-in security features that make it better for corporate environments. Combined with Applocker, it blocks people from unverified locations.
A feature called Device Guard can also be used to use advanced hardware features to whitelist applications. It can also provide forced limited language mode.
PowerShell Activity Log
Activity Monitoring for PowerShell can be enabled by editing Group Policy. For example, Active Directory is a script that logs the use of cmdlets. GroupPolicy does the same, but instead registers the use of the Group Policy cmdlet.
You must submit the logs to a central logging system for them to be useful. Configure logs to send alerts for known attack methods.