PowerShell Security

This documentation covers the security features and best practices for PowerShell. PowerShell is a powerful scripting language and command-line shell, and it's essential to understand its security implications to use it effectively and securely.

PowerShell Execution Policy

The PowerShell execution policy determines whether PowerShell can run configuration files and scripts. This is a fundamental security feature to prevent the execution of malicious scripts.

Levels of Execution Policy:

  • Restricted: No scripts can be run. PowerShell can be used only for interactive commands.
  • AllSigned: Only scripts that are signed by a trusted publisher can be run.
  • RemoteSigned: All scripts that are downloaded from the internet must be signed by a trusted publisher. Scripts that you write locally do not need to be signed.
  • Unrestricted: No restrictions on what scripts can be run. Use with caution.
  • Bypass: Nothing is blocked and there are no warnings or prompts.

Managing Execution Policy:

You can view the current execution policy using:

Get-ExecutionPolicy

And set it using (requires administrator privileges):

Set-ExecutionPolicy  -Scope

Common scopes include CurrentUser, LocalMachine, and Process.

Note: When setting the execution policy for LocalMachine, it applies to all users on that computer. Ensure you understand the implications before setting it broadly.

Constrained Language Mode

Constrained language mode is a security feature that restricts the types of commands and language elements that can be used in PowerShell. It's designed to prevent the execution of potentially harmful code, especially in environments where PowerShell might be invoked by unprivileged users or in response to external events.

When is Constrained Language Mode Used?

  • When PowerShell runs under certain application contexts (e.g., within a remote session managed by a product that enforces it).
  • When PowerShell is invoked with specific command-line arguments.
  • When using PowerShell Integrated Scripting Environment (ISE) in a constrained environment.

Key Restrictions:

  • Cannot access certain .NET types and members (e.g., file system access, networking).
  • Cannot use type accelerators directly (e.g., [System.IO.File]).
  • Limited set of built-in cmdlets and functions.
Tip: For a detailed list of restrictions and allowed elements, refer to Microsoft's official documentation on PowerShell Constrained Language Mode.

Script Signing and Verification

Script signing is a powerful security mechanism that allows you to verify the origin and integrity of PowerShell scripts. By signing a script, you digitally attest that you are the author and that the script has not been tampered with since it was signed.

Process:

  1. Create a Certificate: You can create a self-signed certificate for testing or obtain a certificate from a trusted Certificate Authority (CA) for production environments.
  2. Sign the Script: Use the Set-AuthenticodeSignature cmdlet to sign your script with your certificate.
  3. Verify the Signature: When a script is executed, PowerShell can verify its signature based on the configured execution policy and the trustworthiness of the certificate.

Example of signing a script:

$cert = Get-ChildItem Cert:\CurrentUser\My -codesign
                Set-AuthenticodeSignature -FilePath .\MyScript.ps1 -Cert $cert

PowerShell Remoting Security

PowerShell Remoting (using WS-Management) provides a secure way to manage remote computers. It leverages network protocols and authentication mechanisms to ensure secure communication.

Best Practices:

  • Use HTTPS: Configure WS-Management to use HTTPS for encrypted communication.
  • Strong Authentication: Utilize Kerberos or certificate-based authentication.
  • Least Privilege: Grant only the necessary permissions to users or groups for remote management.
  • Firewall Rules: Ensure appropriate firewall rules are in place to allow WS-Management traffic only from trusted sources.

Auditing and Logging

Comprehensive auditing and logging are crucial for monitoring PowerShell activity, detecting suspicious behavior, and for forensic analysis.

Key Logging Features:

  • Module Logging: Logs all cmdlets that are run, including their parameters and values.
  • Script Block Logging: Logs the content of script blocks as they are executed. This provides a detailed view of what code is running.
  • Transcription Logging: Captures the complete input and output of PowerShell sessions.

These features can be enabled through Group Policy or registry settings.

Important: Enabling detailed logging can generate a significant amount of data. Plan your storage and analysis strategy accordingly.

Security Considerations for Script Development

  • Validate Input: Always validate any input received from users or external sources to prevent injection attacks.
  • Avoid Hardcoded Credentials: Never hardcode sensitive credentials in scripts. Use secure methods like PowerShell secrets management or credential objects.
  • Use Trusted Modules: Only import and use modules from trusted sources.
  • Error Handling: Implement robust error handling to gracefully manage unexpected situations and prevent script crashes that could expose vulnerabilities.