MSDN Documentation

Your trusted source for Microsoft technology information.

PowerShell Security Best Practices

Last Updated: October 26, 2023

This article outlines essential best practices for securing your PowerShell environment, mitigating risks, and ensuring compliant execution of scripts.

1. Execution Policy Management

The PowerShell execution policy controls the conditions under which PowerShell loads configuration files and runs scripts. It's a crucial first line of defense.

  • Restricted: No scripts can be run.
  • AllSigned: Only scripts signed by a trusted publisher can be run.
  • RemoteSigned: Downloads from the internet must be signed by a trusted publisher. Local scripts can run without signing.
  • Unrestricted: All scripts can be run. (Not Recommended)
  • Bypass: Nothing is blocked, and there are no warnings or prompts.

We recommend using RemoteSigned as a minimum for most environments. To check the current policy, use:

Get-ExecutionPolicy -List

To set the policy for the current user (requires administrator privileges):

Set-ExecutionPolicy RemoteSigned -Scope CurrentUser

Note: The -Scope Process option allows you to set the execution policy for the current PowerShell session only. This is useful for testing scripts without affecting the system.

2. Script Signing

Signing your scripts with a digital certificate adds a layer of trust and integrity. This is especially important when using the AllSigned execution policy.

  • Obtain a code-signing certificate from a trusted Certificate Authority (CA) or create a self-signed certificate for internal use.
  • Use the Set-AuthenticodeSignature cmdlet to sign your scripts.
# Example of signing a script with a self-signed certificate
                $cert = Get-ChildItem Cert:\CurrentUser\My | Where-Object { $_.Subject -like "CN=My PowerShell Scripts*" }
                if ($cert) {
                    Set-AuthenticodeSignature -FilePath "C:\Scripts\MyScript.ps1" -Certificate $cert
                } else {
                    Write-Warning "Certificate not found. Please create or import a signing certificate."
                }

3. Principle of Least Privilege

Run PowerShell scripts with the minimum permissions necessary to perform their intended tasks. Avoid running scripts as a highly privileged administrator unless absolutely required.

  • Use Role-Based Access Control (RBAC) to delegate specific administrative tasks.
  • Consider using Just Enough Administration (JEA) to create constrained, role-based management environments.

4. Script Block Logging and Module Logging

Enable enhanced PowerShell logging to capture detailed information about script execution, including script blocks and module activity.

  • Script Block Logging: Logs the content of script blocks as they are executed. This is invaluable for auditing and detecting malicious code.
  • Module Logging: Logs all PowerShell cmdlets that are called.

These can be enabled via Group Policy or registry settings.

5. Constrained Language Mode

Constrained Language Mode restricts the cmdlets, types, and .NET classes that can be used within PowerShell. This is a powerful tool for preventing script injection and unauthorized access.

It can be enabled through Group Policy or by setting the LanguageMode property in a PowerShell session configuration.

Tip: Use Constrained Language Mode in environments where you need to strictly control script execution, such as in cloud services or managed kiosks.

6. PowerShell Remoting Security

If you use PowerShell Remoting (WinRM), ensure it is configured securely:

  • Use HTTPS for encrypted communication.
  • Configure strict authentication methods.
  • Restrict which users or groups can establish remote sessions.
  • Keep PowerShell and the WinRM service updated.

7. Regular Updates and Patching

Ensure that your systems are running the latest stable version of PowerShell and that all security patches are applied promptly. Microsoft regularly releases updates that address security vulnerabilities.

8. Auditing and Monitoring

Implement robust auditing and monitoring solutions to track PowerShell activity. This includes reviewing logs for suspicious commands, unauthorized access attempts, and script execution anomalies.

Conclusion

Implementing these PowerShell security best practices is vital for protecting your infrastructure from threats. A proactive approach to security, combined with continuous monitoring and adherence to principles like least privilege, will significantly enhance your overall security posture.

"Security is not a product, but a process." - Unknown