[Translate to english:] PowerShell Security
[Translate to english:]

IT Security | Endpoint Management | System Administration

PowerShell Security – Why PowerShell usage should be controlled

10. December 2020, Avatar of Felix ZechFelix Zech

PowerShell is a central component for the efficient administration of Windows computers. Many of Windows’ services can only be controlled or configured via PowerShell commands and scripts. However, the PowerShell has some pitfalls. Unless configured correctly, it allows any user to obtain comprehensive information about the network including user lists showing access rights, the domain level and much more.

In short

  • PowerShell is an important part of corporate administration, but it also poses security risks.
  • Standard PowerShell allows users to access sensitive network information.
  • Microsoft offers free tools such as PAM, JIT and JEA for better permission control.
  • These tools allow time-limited and restricted access for users.
  • The configuration of these tools is crucial and does not require expensive additional products.

A gift for cyber criminals

This information in turn is very valuable to cybercriminals, because it provides a virtual roadmap for exploring potential attack vectors and vulnerabilities. The risks are heightened by the fact that many users have unnecessarily broad authorization settings, including those within the IT department itself. Exchange administrators, for example, often have full access to the domain even if they only need such access briefly or intermittently for a few selected tasks. Similar situations apply to other admins. There is a better way.

Get to know PAM, JEA and JIT instead

Microsoft provides some tools to assign exactly defined permissions. PAM (Privileged Access Management), for example, enables temporary and defined group memberships. That enables you to give the Exchange Admin, for example, access for a preconfigured period of time, after which permissions revert to their regular and more limited settings. That ensures that if that user's account is compromised, an intruder has less rights when accessing network systems.

JIT (just-in-time) and JEA (just-enough administration) offer similar control. JIT is the counterpart to PAM at the PowerShell level. JEA allows you to limit the functional area within the PowerShell so that not all cmdlets are available to every user. Instead, each user only gets access to those that are necessary to do their work. Combined with transcription logging, it is also possible to track exactly which user entered which commands, when, and how many.

The best thing is that these tools are provided by Microsoft free of charge. All the administrator has to do is configure them correctly. Expensive additional products are usually not necessary. 

PAM, JEA and JIT are included in our "Windows Security Skills" user training. Check it out and please contact us if you’d like to take advantage of that or any of our flexible line-up of training sessions.

Read more

Entries 1 to 3 of 3