PowerShell Security – Why PowerShell usage should be controlled

This information in turn is very valuable to cybercriminals, because it provides a virtual roadmap for exploring potential attack vectors and vulnerabilities. The risks are heightened by the fact that many users have unnecessarily broad authorization settings, including those within the IT department itself. Exchange administrators, for example, often have full access to the domain even if they only need such access briefly or intermittently for a few selected tasks. Similar situations apply to other admins. There is a better way.

Microsoft provides some tools to assign exactly defined permissions. PAM (Privileged Access Management), for example, enables temporary and defined group memberships. That enables you to give the Exchange Admin, for example, access for a preconfigured period of time, after which permissions revert to their regular and more limited settings. That ensures that if that user's account is compromised, an intruder has less rights when accessing network systems.

JIT (just-in-time) and JEA (just-enough administration) offer similar control. JIT is the counterpart to PAM at the PowerShell level. JEA allows you to limit the functional area within the PowerShell so that not all cmdlets are available to every user. Instead, each user only gets access to those that are necessary to do their work. Combined with transcription logging, it is also possible to track exactly which user entered which commands, when, and how many.

The best thing is that these tools are provided by Microsoft free of charge. All the administrator has to do is configure them correctly. Expensive additional products are usually not necessary. 

PAM, JEA and JIT are included in our "Windows Security Skills" user training. Check it out and please contact us if you’d like to take advantage of that or any of our flexible line-up of training sessions.