The NSA wants to help you lock down MS Windows in PowerShell


A new cheat sheet from four infosec agencies goes around. The NSA and CISA, along with their cousins ​​in the UK and New Zealand, have come up with new recommendations for securing your Windows PCs and servers.

The idea is to use PowerShell for good, rather than letting the scrotes abuse it to “live off the land”. The basic themes are:
• Lock to prevent hacking
• Enable enhanced security features
• Update to the latest version and
• Enabled additional logging to detect break-ins.

DevOps Connect: DevSecOps @ RSAC 2022

But how to do it you to feel confident the NSA? In today’s SB Blogwatch, we’re from the government and we’re here to help.

Your humble blogwatcher has curated these blog bits for your entertainment. Not forgetting: The redux domestic otters.

Make Monad Great Again

What is craic? Ionut Ilascu reports—“NSA shares guidance on securing Windows devices with PowerShell”:

Signs of potential abuse
NSA and Cyber ​​Security Centers in the United States (CISA), New Zealand [GCSB], and the UK (NCSC) have created a set of recommendations for using PowerShell… to prevent and detect malicious activity on Windows machines. …When properly configured and managed, PowerShell can be a reliable tool for system maintenance, investigation, automation, and security.

To reduce the risk of malicious actors abusing PowerShell, leverage framework capabilities such as PowerShell remoting. … For remote connections, the agencies recommend using the Secure Shell (SSH) protocol, supported in PowerShell 7. … Another recommendation is to minimize PowerShell operations using AppLocker or Windows Defender Application Control (WDAC) to configure the tool to operate in Constrained Language Mode (CLM).

Recording PowerShell activity and monitoring logs are two recommendations that could help administrators find signs of potential abuse. The NSA and its partners are offering to enable features such as Deep Script Block Logging (DSBL), Module Logging, and Over-the-Shoulder transcription (OTS).

What caused this? Arielle Waldman explains, “Ongoing PowerShell security threats prompt action”:

Restrict PowerShell operations
PowerShell can be an integral part of cybercriminals using “live off the land” techniques, meaning they use legitimate software and functions for malicious purposes. …factors that make Microsoft PowerShell valuable to IT admins, such as remote PC administration and diagnostics, also make it useful to attackers, many of whom [of whom] use PowerShell as a post-exploitation tool. … “This has prompted some net advocates to disable the Windows tool,” a spokesperson for the US National Security Agency (NSA) said. … “NSA and its partners advise against doing so.”

IT pros are advised to use application controls that would help restrict PowerShell operations unless authorized by the administrator. The authorities also advise implementing the Antimalware Scanning Interface feature, which was first available with Windows 10. Additionally, the Joint Cybersecurity Group advises the use of multiple authentication methods in PowerShell to allow use on non-Windows devices.

And not all versions of PowerShell are equal, as Connor Jones points out—“Adopt PowerShell for better security”:

Upgrade to latest version
PowerShell is both a scripting language and a command-line tool that comes standard with Windows. [But] while PowerShell 7.2 is the latest version, version 5.1 comes standard.

Authorities said that with proper configuration, organizations can keep the same scripts, modules, and commands after upgrading to the latest version. …”Recent releases of PowerShell with enhanced capabilities and options may help defenders counter PowerShell abuse”, …the advisory reads.

But DCdave isn’t so sure:

Powershell 7.2 improves on 5.1? …Not so sure about that.

It’s newer, but it has some compromises due to portability. If you’re setting up a new environment from scratch, then maybe go for it.

Also, using 7.2 isn’t enough anyway, you actually have to disable 5.1 somehow, at least for remote access. Otherwise, all you do is stop using 5.1 and leave it open for anyone who wants to use it.

Should I trust the NSA’s security recommendations? Could the logs be used against me? Iamthecheese seems slightly sarcastic:

The NSA recommends that I log everything that happens on my system. The NSA would never mislead me, would they?

Or am I opening a back door? So Lis worries:

If the “cyber” security people say to keep something, I’d get rid of it if I could.

Trust the [NSA]? I do not think so.

However, you suspect that there is a problem:

Such public recommendations would not be a major concern as they know they will be closely scrutinized by security researchers. They probably have no problem finding vulnerabilities even when the system has been completely secured.

Although it sounds counterintuitive, you have to admit that over the years they have provided some features/recommendations to improve security, like SELinux. … If you think a bit further, it actually makes sense to encourage securing the average enterprise/computer given the number of malicious actors that can threaten the economy.

Expect. Pause. Claptrap314 certainly did:

I think I see a problem in the “Securing the Windows OS” premise.

Meanwhile, trust doragasu to do the obvious gag:

The best command to secure Windows machines? C FORMAT:

And finally:

It’s time we checked Kotaro and Hana

Previously in And finally

Have you read SB Blogwatch by Richi Jennings. Richi curates the best blogs, the best forums, and the weirdest websites…so you don’t have to. Hate messages may be directed to @RiCHi Where [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Kat Med (via Unsplash; leveled and cropped)


Comments are closed.