IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

'Embrace PowerShell for better security', say UK, US, NZ cyber authorities

The powerful automation and IT administrative tool has been used by hackers as an attack tool, but proper configuration can take the power out of their hands

National cyber security authorities in the UK, US, and New Zealand have issued guidance to IT administrators on how to use PowerShell to secure their organisations.

The three countries recommend admins “embrace” PowerShell both on-prem and in the cloud via Microsoft Azure to securely manage resources, despite fears that the tool can be used by hackers after initially exploiting a business.

Related Resource

Secure hybrid cloud for dummies

Accelerate transformation with hybrid cloud

Whitepaper cover with cartoon man's face wearing glasses in yellow circle with blue, black and yellow colour block backgroundFree Download

PowerShell is both a scripting language and command line tool that ships with Windows as standard. It can help admins run automated commands and apply configurations en masse, as well as assist cyber forensics and improve incident response, the authorities said.

Some admins have considered blocking the use of PowerShell in their IT environments as a consequence of the threat it presents if hackers breach their systems.

The cyber authorities instead recommend securing PowerShell itself so it can be used as a powerful security tool without concern of abuse.

“Blocking PowerShell hinders defensive capabilities that current versions of PowerShell can provide, and prevents components of the Windows operating system from running properly,” the advisory read.

“Recent versions of PowerShell with improved capabilities and options can assist defenders in countering abuse of PowerShell.”

While PowerShell 7.2 is the latest release, version 5.1 is shipped as standard in Windows 10 and newer. The authorities said that with proper configuration, organisations can keep the same scripts, modules, and commands after upgrading to the latest version.

Among the list of recommendations to combat abuse is the proper use of PowerShell remoting to prevent exposing credentials to remote hosts and to protect the organisation’s network.

PowerShell’s antimalware scan interface (AMSI) feature is also recommended for use in conjunction with third-party anti-virus products like Windows Defender and McAfee Total Protection. AMSI can scan scripts and detect if they are malicious in nature before they are executed.

There are also a number of techniques admins can use to detect abuse when used routinely. Deep Script Block Logging (DSBL) records every PowerShell command and also has the power to log hidden malicious PowerShell activities.

When DSBL is used in conjunction with module logging and over-the-shoulder transcription, three features that are disabled by default, admins can unearth potential abuses of the PowerShell tool.

The full list of recommendations for admins looking to secure and continue to benefit from PowerShell can be found in the security advisory.

The cyber authorities said PowerShell is “essential” to secure Windows properly, and that newer versions of the tool have eliminated shortcomings and limitations of older builds.

“Removing or improperly restricting PowerShell would prevent administrators and defenders from utilising PowerShell to assist with system maintenance, forensics, automation, and security,” said the authorities.

“PowerShell, along with its administrative abilities and security measures, should be managed properly and adopted.”

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Most Popular

Cyber attack on software supplier causes "major outage" across the NHS
cyber attacks

Cyber attack on software supplier causes "major outage" across the NHS

8 Aug 2022
Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022