Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Windows

NSA Shares Tips On Securing Windows Devices With PowerShell (bleepingcomputer.com) 38

An anonymous reader quotes a report from BleepingComputer: The National Security Agency (NSA) and cybersecurity partner agencies issued an advisory today recommending system administrators to use PowerShell to prevent and detect malicious activity on Windows machines. PowerShell is frequently used in cyberattacks, leveraged mostly in the post-exploitation stage, but the security capabilities embedded in Microsoft's automation and configuration tool can also benefit defenders in their forensics efforts, improve incident response, and to automate repetitive tasks. The NSA and cyber security centers in the U.S. (CISA), New Zealand (NZ NCSC), and the U.K. (NCSC-UK) have created a set of recommendations for using PowerShell to mitigate cyber threats instead of removing or disabling it, which would lower defensive capabilities.

Reducing the risk of threat actors abusing PowerShell requires leveraging capabilities in the framework such as PowerShell remoting, which does not expose plain-text credentials when executing commands remotely on Windows hosts. Administrators should be aware that enabling this feature on private networks automatically adds a new rule in Windows Firewall that permits all connections. Customizing Windows Firewall to allow connections only from trusted endpoints and networks helps reduce an attacker's chance for successful lateral movement. For remote connections, the agencies advise using the Secure Shell protocol (SSH), supported in PowerShell 7, to add the convenience and security of public-key authentication:

- remote connections don't need HTTPS with SSL certificates
- no need for Trusted Hosts, as required when remoting over WinRM outside a domain
- secure remote management over SSH without a password for all commands and connections
- PowerShell remoting between Windows and Linux hosts

Another recommendation is to reduce PowerShell operations with the help of AppLocker or Windows Defender Application Control (WDAC) to set the tool to function in Constrained Language Mode (CLM), thus denying operations outside the policies defined by the administrator. Recording PowerShell activity and monitoring the logs are two recommendations that could help administrators find signs of potential abuse. The NSA and its partners propose turning on features like Deep Script Block Logging (DSBL), Module Logging, and Over-the-Shoulder transcription (OTS). The first two enable building a comprehensive database of logs that can be used to look for suspicious or malicious PowerShell activity, including hidden action and the commands and scripts used in the process. With OTS, administrators get records of every PowerShell input or output, which could help determine an attacker's intentions in the environment.
The full document, titled "Keeping PowerShell: Security Measures to Use and Embrace" is available here (PDF).
This discussion has been archived. No new comments can be posted.

NSA Shares Tips On Securing Windows Devices With PowerShell

Comments Filter:
  • by systemd-anonymousd ( 6652324 ) on Thursday June 23, 2022 @10:32PM (#62646550)

    Step 1: Run everything that O&O Shutup10 does to secure the system and turn off telemetry, spyware, nonconsensual updates, more telemetry, etc.

    Step 2: Run a bunch of hidden powershell commands to remove all that otherwise non-removable crapware installed on your system (search for "powershell remove windows 10 bloatware" for a list of paste-able commands)

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      Step 0: Get your hands on the LTSC variant of Windows, and don't install the bloatware in the first place.

      Almost every corporate machine could run LTSC and function fine. Windows actively deters customers from doing so, since you can actually turn off or not install the annoying-as-fuck features that make them a lot of money.

    • by Anonymous Coward

      There are actually a bunch of settings O&O doesn't turn off. It's a PITA and I don't know why they don't update it.

      For instance:

      • The telemetry setting under Data collection and Preview builds.
      • Windows error reporting.
      • SmartScreen.
      • Customer Experience Improvement Program (Consolidator and UsbCeip).

      There are a couple more but you get the idea. MS keeps sticking more stuff in there every day. I think it's probably best to just stay away from Windows for now.

    • Re: (Score:2, Flamebait)

      by gweihir ( 88907 )

      Alternatively, MS could stop being criminal and make telemetry "off" the default. The GDPR requires it.

      • Alternatively, MS could stop being criminal and make telemetry "off" the default. The GDPR requires it.

        The fact the EU is ignoring this while going after these various tech companies for lesser offenses is fairly telling, isn't it? Microsoft is more powerful than the EU.

        • In the 90s they went after Microsoft for having a web browser built into explorer. Today they steal users' information with no way to stop it, build literal ADS into the OS telling you to stop using Chrome and Firefox and use their browser, and have "are you really sure??" dialogs if you try to run competitors' software.

          Obviously between the 90s and now they started bribing the right politicians.

      • by splutty ( 43475 )

        Technically they aren't criminal. Since the information isn't personalized, which is what the GDPR is about.

        Of course "Anonymous" information is pretty much a lie, but as I said, technically...

    • Wrong Approach. NSA should instruct/Demand MS write/publish and add-on utility. Call it PSH /on/off/log/alert. Pretty obvious. The alert command would, when you next logged on to windows, tell you previous instances of PSH use if the alert flag was set, or if you are logged on, prompt you for permission (with an advisory to say no). These 'Tips' are a trick to stop masses just disabling it altogether, or detecting behind-your-back operations - such as corporate spying. I remember with Novell OS, a user cou
    • by twocows ( 1216842 ) on Friday June 24, 2022 @07:17AM (#62647266)
      I prefer Privatezilla [github.com] myself.
      • by AmiMoJo ( 196126 )

        PrivateZilla seems to be abandoned. It says it supports up to Windows 10 v 2009, which is from 2020.

  • log everything that happens on my system. The NSA would never lead me astray right?
    • by youn ( 1516637 )

      such public recommendations wouldn't be a primary worry because they know they will be scrutinized by security researchers all around. They likely have no problem finding flaws even when the system has been completely secured.

      It's more threats/misconfigurations/social engineering techniques that you haven't heard about that would be a more likely vector.

      Though it seems paradoxical, you have to admit that over the years they have provided a few features/ recommendations to improve security like SELinux

      One of

    • by gweihir ( 88907 )

      Well, the thing is they are not wrong in the given context.

    • Don't worry. They got you covered.
      If you fail to log everything, NSA will do it for you.
      If you fail to backup everything, NSA will do it for you.

  • What a surprise. It is also much older. Shows the quality of fumbling, no-clue MS "engineering" nicely.

    • Older than what? Powershell? Is it better or is it just another way to do transport encryption with public keys?

"I shall expect a chemical cure for psychopathic behavior by 10 A.M. tomorrow, or I'll have your guts for spaghetti." -- a comic panel by Cotham

Working...