The NSA wants to help you lock down MS Windows in PowerShell

The NSA wants to help you lock down MS Windows in PowerShell

A new cheat sheet from four information security agencies is doing the rounds. The NSA and CISA, along with their cousins ​​in the UK and New Zealand, have come up with some new recommendations to protect your Windows PCs and servers.

The idea is to use PowerShell forever, instead of letting the scrotes misuse it to “live off the land”. The basic topics are:
• Lock it to prevent hacking
• Activation of enhanced security features
• Update to the latest version and
• Enabling additional logging to detect theft.

DevOps Connection: DevSecOps @ RSAC 2022

but how your feel confident the NSA? In today’s SB Blogwatch, we’re from the government and we’re here to help.

Your humble blog observer selected these blog snippets for your entertainment. Not to mention: redux domestic otters.

Do cute great again

What is the leisure offer? Ionut Ilascu reports—”NSA shares tips on protecting Windows devices with PowerShell”:

Signs of possible abuse
NSA and Cyber ​​Security Centers in the US (CISA), New Zealand [GCSB]and the United Kingdom (NCSC) have created a set of recommendations for using PowerShell… to prevent and detect malicious activity on Windows machines. … When properly configured and managed, PowerShell can be a reliable tool for system maintenance, forensics, automation, and security.

Reducing the risk of threat actors abusing PowerShell requires leveraging capabilities in the framework, such as PowerShell remoting. … For remote connections, the agencies advise using the Secure Shell (SSH) protocol, which is compatible with PowerShell 7. … Another recommendation is to reduce PowerShell operations with the help of AppLocker or Windows Defender Application Control (WDAC) to configure the tool so that works in Constrained Language Mode (CLM).

Logging PowerShell activity and monitoring logs are two recommendations that could help administrators find signs of potential abuse. The NSA and its partners propose to enable features such as deep script block logging (DSBL), module logging, and over-the-shoulder transcription (OTS).

What caused this? Arielle Waldman explains—“Ongoing PowerShell security threats prompt a call to action”:

Restrict PowerShell operations
PowerShell can be integral to cybercriminals who employ “living off the land” techniques, meaning they use legitimate features and software for malicious purposes. … The factors that make Microsoft PowerShell valuable to IT administrators, such as remote management and diagnosis of a PC, also make it useful to attackers, many [of whom] use PowerShell as a post-exploitation tool. … “This has led some network advocates to disable the Windows tool,” said a US National Security Agency (NSA) spokesperson. … “NSA and its partners advise against doing so.”

IT professionals are encouraged to use application controls that would help restrict PowerShell operations unless allowed by the administrator. Authorities also recommend implementing the anti-malware scanning interface feature, which was first made available with Windows 10. In addition, the joint cybersecurity group recommends using multiple authentication methods in PowerShell to allow use on non-proprietary devices. Windows.

And not all versions of PowerShell are the same, as Connor Jones points out—“Adopt PowerShell for better security”:

Updating to the latest version
PowerShell is both a scripting language and a command line tool that ships with Windows as standard. [But] while PowerShell 7.2 is the latest version, version 5.1 ships as standard.

Authorities said that with proper configuration, organizations can keep the same scripts, modules, and commands after upgrading to the latest version. … “Recent versions of PowerShell with enhanced capabilities and options may help defenders counter PowerShell abuse,” … the advisory read.

But DCave I’m not so sure about that:

Does Powershell 7.2 improve on 5.1? … I’m not so sure about that.

It’s newer, but has some compromises due to portability. If you’re setting up a new environment from scratch, then maybe go for it.

Also, just using 7.2 isn’t enough anyway, you actually need to disable 5.1 somehow, at least for remote access. Otherwise, all you’re doing is deprecating 5.1 and leaving it open for anyone who wants to use it.

Should I trust the NSA’s security recommendations? Could the records be used against me? I am the cheese sounds a bit sarcastic:

The NSA recommends that I log everything that happens on my system. The NSA would never lead me astray, right?

Or am I actually opening a back door? then he worries lys:

If the “cyber” security people say to save something, I’d get rid of it if I could.

Trust him [NSA]? I do not think.

Nevertheless, young man doubt there is a problem:

Such public recommendations would not be a primary concern because they know they will be scrutinized by security researchers around the world. They are likely to have no trouble finding faults, even when the system has been fully secured.

Although it seems paradoxical, you have to admit that over the years they have provided some features/recommendations to improve security, such as SELinux. … If you think a step further, it actually makes sense to encourage protection of the average business/computer considering the number of bad actors that can threaten the economy.

Expect. Pause. claptrap314 it certainly did:

I think I see a problem in the premise “Secure Windows OS”.

In the meantime, confidence doragasu to make the obvious joke:

Best command to protect Windows machines? FORM C:

And finally:

It’s about time we checked Kotaro and Hana.

Previously in And finally

have you been reading sb blogwatch by Richie Jennings. Richi curates the best blogs, the best forums, and the weirdest websites… so you don’t have to. Hate mail can be directed to @RiCHi either [email protected]. Ask your doctor before reading. Your experience may be different. E&OE. 30

Image sauce: cat med (via unsplash; leveled and trimmed)

Leave a Comment