Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Microsoft Security

Microsoft Claims PowerShell Now More Secure (wired.com) 62

An anonymous reader quotes Wired: Last year, well over a third of the incidents assessed by security firm Carbon Black and its partners involved some sort of PowerShell component. But as network defenders catch on to Microsoft's recent release of additional PowerShell protections, the attack sequences that exploit PowerShell are finding some long-overdue resistance... PowerShell 5.0, released last year, added a full suite of expanded logging tools... While it's no panacea, and doesn't keep attackers out, the renewed focus on logging aids flagging and detection. It's a baseline step that helps remediation and response after an attack is over, or if it persists long-term... And PowerShell's recent defense improvements go beyond logs. The framework also recently added "constrained language mode," to create even more control over what commands PowerShell users can execute... The security industry at large has also made strides to determine what baseline normal activity for PowerShell looks like, since deviations could indicate malicious behavior.
Lee Holmes, Microsoft's principal software design engineer for PowerShell, says they've been "laser-focused on security since the very first version," adding that they're now moving towards a more enlightened approach.

"You can focus harder on protecting against breaches and defense in depth, but the enlightened approach is to assume breach and build the muscle on detection and remediation -- make sure that you're really thinking about security end-to-end in a holistic manner."
This discussion has been archived. No new comments can be posted.

Microsoft Claims PowerShell Now More Secure

Comments Filter:
  • That is easy. I would have been impressed had MS managed to make to less secure.
  • You're kidding me! (Score:4, Insightful)

    by GerryGilmore ( 663905 ) on Saturday August 26, 2017 @07:14PM (#55090977)
    Let's start with the operative sentence: "...doesn't keep attackers out, the renewed focus on logging aids flagging and detection. It's a baseline step that helps remediation and response after an attack is over, or if it persists long-term..." Really? Gee - thanks, Mister! After the damage is done - long-term, BTW -we'll have logs! Logs solve everything! Dumbass....
    • Considering the piss poor nature of Windows logging, I'll take even improved logging of events.

    • We're talking about effectively a run-time compiled programming language. You have two choices: 1) You refuse to give the language power to do anything useful 2) You log what it did to detect bad actors.

      The same is true of software. You either grant it the power to do useful things to the system (like copy/paste) or you run high level pattern matching (virus scan/active defense) which watches the processes for suspicious behavior. Even then, encrypting a hard drive is often both a useful and a malicious

  • by gweihir ( 88907 ) on Saturday August 26, 2017 @07:20PM (#55091003)

    MS has been the uncrowned queen of "just barely good enough to make money" forever and people were too stupid to recognize that and stay away. Now they can easily get away with it. Take these new promises for what they are worth: nothing at all.

  • by Gravis Zero ( 934156 ) on Saturday August 26, 2017 @07:28PM (#55091027)

    While it's no panacea, and doesn't keep attackers out...

    Well I'm sold! Say no more!

  • by bugs2squash ( 1132591 ) on Saturday August 26, 2017 @07:37PM (#55091047)
    What class of users should be allowed access to powershell but not to all the commands ? I struggle to imagine that powershell is the domain of anyone who doesn't merit full access to the computer. OK maybe they do exist, but I can't see it being a lot of people. And besides, if the restrictions only apply to powershell people who can grasp powershell have the wherewithal to find other ways to get around them.
  • by Presence Eternal ( 56763 ) on Saturday August 26, 2017 @07:59PM (#55091125)

    Get-AppxPackage -allusers | Remove-AppxPackage

    Need I say more?

  • If you can have a random program remotely run executables with different credentials and elevated privileges in a scripting tool, you've screwed something up.

    These exploits are the equivalent of setting the setuid bit on /bin/bash

    • You don't. This is why you need to set-execution policy remote signed or allsigned off before you can do anything useful.

      • by Junta ( 36770 )

        Of course a cmd/bat file can merrily do that as a prelude to an evil powershell script, so the execution policy is only annoying to legit users without being a significant problem to those that would use ps1 as an attack vector.

        It would be maybe something if ps1 content could execute in some context that cmd/bat files could not (e.g. the way microsoft put activex everywhere), but they know better than to even try that. So they have something that would have mitigated problems they had with ActiveX, but als

  • by Anonymous Coward

    ...the enlightened approach is to [give up on attempting to actually secure the platform] and build the muscle on detection and remediation

    The war is over. The black hats won.

  • "You can focus harder on protecting against breaches and defense in depth, but the enlightened approach is to assume breach and build the muscle on detection and remediation"

    Translation: we can't even figure out how to protect Windows from security breaches.
  • The powershell signing situation always baffled me.

    To run a powershell script, you must sign it. Which is of course terribly inconvenient, but hey, at least it is secure.

    Except you can disable the restrictions easily, so easily in fact that a would be attacker need only do one very minor thing prior to their script having to execute for all this to not matter, and that minor thing is readily accessible through a .bat or .cmd script (which I have seen professional software do even, temporarily relax the pol

    • To disable that restriction you have to have admin rights.
      The main security benefit of signatures is the prevention of someone changing the code. Which is a nice addition that was missing from .bat/.cmd scripts.
      • by Junta ( 36770 )

        It's of limited utility so long as .vbs/.bat/.cmd still can run without such protections in the same context.

        And on the 'you have to have admin rights', there is something deeply wrong with the Windows userbase. I made an app for Windows and made it available to some testers and went to see what they did. About 7 out of 10 of the test users right clicked to 'run as administrator' without even *trying* to run it normally. Even after telling them as the developer of the application that it does not need ad

        • It's of limited utility so long as .vbs/.bat/.cmd still can run without such protections in the same context.

          And on the 'you have to have admin rights', there is something deeply wrong with the Windows userbase. I made an app for Windows and made it available to some testers and went to see what they did. About 7 out of 10 of the test users right clicked to 'run as administrator' without even *trying* to run it normally. Even after telling them as the developer of the application that it does not need admin rights, 2 of them refused to run it normally, because they didn't believe that it could work without it.

          That's why we (or at least I) deny users administrative rights. Expect your users to be useless in regard to security, and harden your systems accordingly.

  • The problem with PowerShell is in its basic design. Merging an embeddable scripting language and a shell is just a lousy idea. How do we know that? Because people in the UNIX world have tried it for decades and it failed every single time. It failed because, among many other problems, securing such a thing is really hard, as Microsoft is discovering. It also failed because creating such a Swiss army knife of a tool means that each individual function just isn't very well supported, and that simple things ge

  • It reminds me of the never-ending claims that "Windows <fill-in-the-version> is the most secure Windows ever".

!07/11 PDP a ni deppart m'I !pleH

Working...