NSA Shares Tips On Securing Windows Devices With PowerShell (bleepingcomputer.com) 38
An anonymous reader quotes a report from BleepingComputer: The National Security Agency (NSA) and cybersecurity partner agencies issued an advisory today recommending system administrators to use PowerShell to prevent and detect malicious activity on Windows machines. PowerShell is frequently used in cyberattacks, leveraged mostly in the post-exploitation stage, but the security capabilities embedded in Microsoft's automation and configuration tool can also benefit defenders in their forensics efforts, improve incident response, and to automate repetitive tasks. The NSA and cyber security centers in the U.S. (CISA), New Zealand (NZ NCSC), and the U.K. (NCSC-UK) have created a set of recommendations for using PowerShell to mitigate cyber threats instead of removing or disabling it, which would lower defensive capabilities.
Reducing the risk of threat actors abusing PowerShell requires leveraging capabilities in the framework such as PowerShell remoting, which does not expose plain-text credentials when executing commands remotely on Windows hosts. Administrators should be aware that enabling this feature on private networks automatically adds a new rule in Windows Firewall that permits all connections. Customizing Windows Firewall to allow connections only from trusted endpoints and networks helps reduce an attacker's chance for successful lateral movement. For remote connections, the agencies advise using the Secure Shell protocol (SSH), supported in PowerShell 7, to add the convenience and security of public-key authentication:
- remote connections don't need HTTPS with SSL certificates
- no need for Trusted Hosts, as required when remoting over WinRM outside a domain
- secure remote management over SSH without a password for all commands and connections
- PowerShell remoting between Windows and Linux hosts
Another recommendation is to reduce PowerShell operations with the help of AppLocker or Windows Defender Application Control (WDAC) to set the tool to function in Constrained Language Mode (CLM), thus denying operations outside the policies defined by the administrator. Recording PowerShell activity and monitoring the logs are two recommendations that could help administrators find signs of potential abuse. The NSA and its partners propose turning on features like Deep Script Block Logging (DSBL), Module Logging, and Over-the-Shoulder transcription (OTS). The first two enable building a comprehensive database of logs that can be used to look for suspicious or malicious PowerShell activity, including hidden action and the commands and scripts used in the process. With OTS, administrators get records of every PowerShell input or output, which could help determine an attacker's intentions in the environment. The full document, titled "Keeping PowerShell: Security Measures to Use and Embrace" is available here (PDF).
Reducing the risk of threat actors abusing PowerShell requires leveraging capabilities in the framework such as PowerShell remoting, which does not expose plain-text credentials when executing commands remotely on Windows hosts. Administrators should be aware that enabling this feature on private networks automatically adds a new rule in Windows Firewall that permits all connections. Customizing Windows Firewall to allow connections only from trusted endpoints and networks helps reduce an attacker's chance for successful lateral movement. For remote connections, the agencies advise using the Secure Shell protocol (SSH), supported in PowerShell 7, to add the convenience and security of public-key authentication:
- remote connections don't need HTTPS with SSL certificates
- no need for Trusted Hosts, as required when remoting over WinRM outside a domain
- secure remote management over SSH without a password for all commands and connections
- PowerShell remoting between Windows and Linux hosts
Another recommendation is to reduce PowerShell operations with the help of AppLocker or Windows Defender Application Control (WDAC) to set the tool to function in Constrained Language Mode (CLM), thus denying operations outside the policies defined by the administrator. Recording PowerShell activity and monitoring the logs are two recommendations that could help administrators find signs of potential abuse. The NSA and its partners propose turning on features like Deep Script Block Logging (DSBL), Module Logging, and Over-the-Shoulder transcription (OTS). The first two enable building a comprehensive database of logs that can be used to look for suspicious or malicious PowerShell activity, including hidden action and the commands and scripts used in the process. With OTS, administrators get records of every PowerShell input or output, which could help determine an attacker's intentions in the environment. The full document, titled "Keeping PowerShell: Security Measures to Use and Embrace" is available here (PDF).
For every new install (Score:5, Interesting)
Step 1: Run everything that O&O Shutup10 does to secure the system and turn off telemetry, spyware, nonconsensual updates, more telemetry, etc.
Step 2: Run a bunch of hidden powershell commands to remove all that otherwise non-removable crapware installed on your system (search for "powershell remove windows 10 bloatware" for a list of paste-able commands)
Re: (Score:2, Interesting)
Step 0: Get your hands on the LTSC variant of Windows, and don't install the bloatware in the first place.
Almost every corporate machine could run LTSC and function fine. Windows actively deters customers from doing so, since you can actually turn off or not install the annoying-as-fuck features that make them a lot of money.
Re: (Score:2)
Agree, get LTSC and then run Blackbird https://www.getblackbird.net/ [getblackbird.net] which ironically is a PowerShell script.
Hasn't been updated since Nov 2020??
Re: (Score:1)
There are actually a bunch of settings O&O doesn't turn off. It's a PITA and I don't know why they don't update it.
For instance:
There are a couple more but you get the idea. MS keeps sticking more stuff in there every day. I think it's probably best to just stay away from Windows for now.
Re: (Score:2, Flamebait)
Alternatively, MS could stop being criminal and make telemetry "off" the default. The GDPR requires it.
Re: (Score:2)
Alternatively, MS could stop being criminal and make telemetry "off" the default. The GDPR requires it.
The fact the EU is ignoring this while going after these various tech companies for lesser offenses is fairly telling, isn't it? Microsoft is more powerful than the EU.
Re: (Score:2)
In the 90s they went after Microsoft for having a web browser built into explorer. Today they steal users' information with no way to stop it, build literal ADS into the OS telling you to stop using Chrome and Firefox and use their browser, and have "are you really sure??" dialogs if you try to run competitors' software.
Obviously between the 90s and now they started bribing the right politicians.
Re: (Score:3)
Technically they aren't criminal. Since the information isn't personalized, which is what the GDPR is about.
Of course "Anonymous" information is pretty much a lie, but as I said, technically...
Re: (Score:2)
That is probably what they are riding on, yes.
Re: (Score:3)
Re: (Score:2)
The problem isn't the updates. The problem is that Windows *decides* for you when it *restarts* your machine.
Turning this off is actually a pretty involved affair, when it should just be a button "DO NOT FUCKING AUTOMATICALLY RESTART MY MACHINE. EVER."
And no. "Setting active hours" is not a solution.
Re: For every new install (Score:2)
Yep this makes notepad windows for taking notes worthless. Auto reboots close unsaved notepad windows and there goes my multi-day buffer of commands/history.
Glad I ditched corporate use of windows back in 2010.
Re: (Score:2)
Switch to a better notepad.
Re: (Score:2)
The problem is that Windows *decides* for you when it *restarts* your machine.
No it doesn't. Windows presents you the option of when to restart the machine. Seriously was the last time you used a windows machine 2015? Maybe you should stop commenting about things you know nothing about.
Re: (Score:2)
You're cute. And I guess you're not using Windows 10 with its hard 2 month limit.
Re: (Score:3)
At what point is showing the weather and news stories at the ZIP code near the current IP address of the computer a security[0] update? Or creating a shortcut to a video streaming service in the menu? Or changing my default browser back to "Edgium" for those sweet Bing hits?
Trusting Windows 7 to install "security updates only" meant waking up to a fresh install of Windows 10 and a whole crop of fresh "wormable exploits" right out of the box. Even using ShutUp10 to disable everything doesn't work -- a servi
Re: (Score:2)
At what point is showing the weather and news stories at the ZIP code near the current IP address of the computer a security[0] update?
If you expect security updates without feature updates you're incredibly ignorant of how software development works. Security updates are far easier to manage when you target a single platform or version.
But that's beside the point since you clearly don't seem to understand how Windows Update actually delivers updates. Hint: Security updates are not the same as updating the weather. That's known as a feature update, and can be deferred or optionally not installed. Heck if I go into windows update right now
Re: (Score:2)
>Also username checks out. It's like you personify the worst of everything in IT in one complete package.
Huh? If you think users shouldn't have control over their own machines you should love systemd
Re:For every new install (Score:4)
Re: (Score:2)
PrivateZilla seems to be abandoned. It says it supports up to Windows 10 v 2009, which is from 2020.
The NSA recommends that I... (Score:1)
Re: (Score:3)
such public recommendations wouldn't be a primary worry because they know they will be scrutinized by security researchers all around. They likely have no problem finding flaws even when the system has been completely secured.
It's more threats/misconfigurations/social engineering techniques that you haven't heard about that would be a more likely vector.
Though it seems paradoxical, you have to admit that over the years they have provided a few features/ recommendations to improve security like SELinux
One of
Re: (Score:2)
Well, the thing is they are not wrong in the given context.
NSSA got you covered. (Score:2)
Don't worry. They got you covered.
If you fail to log everything, NSA will do it for you.
If you fail to backup everything, NSA will do it for you.
Re: (Score:2)
Seen on a T-shirt: "NSA: Listening to all your conspiracy theories when nobody else does."
Re: (Score:2)
Securing Windows Devices? (Score:1)
So SSH is much better than the MS-crap? (Score:1)
What a surprise. It is also much older. Shows the quality of fumbling, no-clue MS "engineering" nicely.
Re: (Score:2)
Best command to secure Windows machines... (Score:1, Troll)
format c: