NSA Wants To Help you Lock Down MS Windows in PowerShell
A new cheatsheet from four infosec agencies is making the rounds. The NSA and CISA, together with their cousins in the UK and New Zealand, have dreamed up some new recommendations to secure your Windows PCs and servers.
The idea is to use PowerShell for good, rather than let scrotes misuse it to “live off the land.” The basic themes are:
• Locking it down to prevent hacking
• Turning on enhanced security features
• Updating to the latest version and
• Enabling extra logging to detect break-ins.
But how do you feel about trusting the NSA? In today’s SB Blogwatch, we’re from the government and we’re here to help.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Domestic otters redux.
Make Monad Great Again
What’s the craic? Ionut Ilascu reports—“NSA shares tips on securing Windows devices with PowerShell”:
“Signs of potential abuse”
The NSA and cyber security centres in the U.S. (CISA), New Zealand [GCSB], and the UK (NCSC) have created a set of recommendations for using PowerShell … to prevent and detect malicious activity on Windows machines. … When properly configured and managed, PowerShell can be a reliable tool for system maintenance, forensics, automation, and security.
…
Reducing the risk of threat actors abusing PowerShell requires leveraging capabilities in the framework such as PowerShell remoting. … For remote connections, the agencies advise using the Secure Shell protocol (SSH), supported in PowerShell 7. … Another recommendation is to reduce PowerShell operations with the help of AppLocker or Windows Defender Application Control (WDAC) to set the tool to function in Constrained Language Mode (CLM).
…
Recording PowerShell activity and monitoring the logs are two recommendations that could help administrators find signs of potential abuse. The NSA and its partners propose turning on features like Deep Script Block Logging (DSBL), Module Logging, and Over-the-Shoulder transcription (OTS).
What brought this on? Arielle Waldman explains—“Ongoing PowerShell security threats prompt a call to action”:
“Restrict PowerShell operations”
PowerShell can be integral for cybercriminals that employ “living off the land” techniques, meaning they use legitimate software and functions for malicious purposes. … The factors that make Microsoft PowerShell valuable to IT admins, such as remotely administering and diagnosing a PC, also make it useful to attackers—many [of whom] use PowerShell as a post-exploitation tool. … “This has prompted some net defenders to disable the Windows tool,” a U.S. National Security Agency (NSA) spokesperson said. … “NSA and its partners advise against doing so.”
…
IT pros are advised to use application controls that would help to restrict PowerShell operations unless allowed by the admin. Authorities also advise implementing the antimalware scan interface feature, which was first available with Windows 10. In addition, the joint cybersecurity group advises the use of multiple authentication methods in PowerShell to permit use on non-Windows devices.
And not all PowerShell versions are equal, as Connor Jones points out—“Embrace PowerShell for better security”:
“Upgrading to the latest version”
PowerShell is both a scripting language and command line tool that ships with Windows as standard. [But] while PowerShell 7.2 is the latest release, version 5.1 is shipped as standard.
…
The authorities said that with proper configuration, organisations can keep the same scripts, modules, and commands after upgrading to the latest version. … “Recent versions of PowerShell with improved capabilities and options can assist defenders in countering abuse of PowerShell,” … the advisory read.
But DCdave is not so sure about that:
Powershell 7.2 improves on 5.1? … Not so sure about that.
…
It’s newer, but it has some compromises due to portability. If you’re setting up a new environment from scratch, then maybe go for it.
…
Also, just using 7.2 isn’t enough anyway, you do actually need to disable 5.1 in some way, at least for remote access. Otherwise all you’re doing is stopping using 5.1 and leaving it open for anyone who wants to use it.
Should I trust the NSA’s security recommendations? Could logs be used against me? Iamthecheese sounds slightly sarcastic:
The NSA recommends that I log everything that happens on my system. The NSA would never lead me astray right?
Or am I actually opening a back door? So worries Lis:
If the “Cyber” security people say to keep something, I would get rid of it if I could.
Trust the [NSA]? I don’t think so.
However, youn doubts there’s a problem:
Such public recommendations wouldn’t be a primary worry because they know they will be scrutinized by security researchers all around. They likely have no problem finding flaws even when the system has been completely secured.
…
Though it seems paradoxical, you have to admit that over the years they have provided a few features/ recommendations to improve security—like SELinux. … If you think one step further, it’s actually logical for encourage securing the average business/ computer considering the number of bad actors that can threaten the economy.
Wait. Pause. Claptrap314 certainly did:
I think I see a problem in the premise, “Secure the Windows operating system.”
Meanwhile, trust doragasu to make the obvious gag:
Best command to secure Windows machines? FORMAT C:
And Finally:
It’s about time we checked in on Kotaro and Hana
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.
