The NSA might not be the first organization that you think of turning to for advice about how to secure your computer, but the agency has offered up various tips about how to use PowerShell to do just this.
In conjunction with the Cybersecurity and Infrastructure Security Agency (CISA), the New Zealand National Cyber Security Centre (NZ NCSC) and the United Kingdom National Cyber Security Centre (NCSC-UK), the NSA has published a Cybersecurity Information Sheet. The document is entitled Keeping PowerShell: Security Measures to Use and Embrace, and it advises properly configuring and monitoring PowerShell, rather than removing or disabling it as is often recommended.
Many cyberattacks use PowerShell as part of an attack, and this is why it is frequently removed from systems. The document from the international security agency says that making proper use of the tool is a better option as it “will provide benefits from the security capabilities PowerShell can enable while reducing the likelihood of malicious actors using it undetected after gaining access into victim networks”.
Pointing out that “PowerShell can help defenders manage the Windows operating system by enabling forensics efforts, improving incident response, and allowing automation of common or repetitive tasks” the recommendation put forward is to “mitigate cyber threats without obstructing PowerShell’s functionality”.
The advisory document outlines several methods of using PowerShell to reduce abuse, as well as many to help detect it. Understanding the capabilities of PowerShell is key to reaping its benefits, the authors say:
PowerShell is essential to secure the Windows operating system, especially since newer versions have resolved previous limitations and concerns through updates and enhancements. Removing or improperly restricting PowerShell would prevent administrators and defenders from utilizing PowerShell to assist with system maintenance, forensics, automation, and security. PowerShell, along with its administrative abilities and security measures, should be managed properly and adopted.
The document is available to read here.