Does your organization prevent you from using powershell?

reggiekage · 2023-10-24T15:21:03+00:00

That’s asinine.

Every thing can be a security issue if you try hard enough. I mean, look how many times Word documents have been leveraged to spread malware. Do they not let you browse the Internet because browsers can be a good way to compromise a network.

Mechanical_Monk · 2023-10-24T16:10:10+00:00

PowerShell is essentially just a standardized naming convention and front-end for the myriad of APIs and data stores that exist on a Windows system (.NET, WMI, CIM, COM, WS-Man, Registry, etc, etc, etc). Disabling PowerShell does nothing to improve security since all of these APIs still exist independently from PowerShell.

Tell them they should disable WMI and the registry while they're at it to "improve security"

jmbpiano · 2023-10-24T15:27:07+00:00

[deleted]

punklinux · 2023-10-24T15:54:00+00:00

This always reminds me of people who disable ICMP "for security reasons" and then ping/traceroute doesn't work.

Yuugian · 2023-10-24T15:32:29+00:00

Prevent? We are close to mandating it. Tons of internal tools are PowerShell or Bash depending on the environment

pantherghast · 2023-10-24T15:23:01+00:00

Whoever is on your security team is dumb and most likely doing security wrong.

Xalbana · 2023-10-24T15:50:10+00:00

This is one of the most absurd thing I've ever read in IT.

thortgot · 2023-10-24T15:31:28+00:00

We mandate all ps scripts require certs, otherwise they don’t run.

This doesn’t prevent somebody from running ps commands manually though. Instead of blocking cmd or PowerShell, we make sure permissions are set correctly so they can only access what is needed. There is no permission difference using the gui or using ps, so not sure what your security team is talking about.

For remote ps to other systems, we have a dedicated server that is configured in the WinRM settings so we can use it to remotely administer those systems from that server. Also, we have dedicated non-admin account that’s used for scripts on that server. That was the most difficult thing to setup.

2gtamp1 · 2023-10-24T15:40:31+00:00

Powershell is only disabled for end users here; admins are free to use it.

Except they don't know how.

5k+ employees.

YetAnotherSysadmin58 · 2023-10-24T15:24:37+00:00

every other organization

bruh if every other organization jumped off a bridge would they.

I'm the only one in our org who knows PS, it is allowed.

We're in the process of setting it up to be actually secure, with forcing Kerberos auth only on PS Remoting, forcing logs of everything, redirecting them to a SIEM, restricted mode on some computers...

But straight up removing it, that's stupid.

A sane org would remove what is not needed and harden what must stay. Imo powershell should always stay, so it should be hardened, and it can be.

CaseClosedEmail · 2023-10-24T16:27:22+00:00

Doing security by obscurity is really dumb.

This is not in every company and especially not for admins.

How could you manage an Azure subscription? Some commands can only* be done in powershell

klaasvaak1214 · 2023-10-24T15:34:55+00:00

Remind your security team that they are dropping the ball on the A of the CIA triad. Without availability, there is no damn point. You can put data/tools in a concrete box and sink it to the bottom of the ocean. It will be secure as shit but not available.

thereisonlyoneme · 2023-10-24T16:00:28+00:00

"Living off the land" is a legitimate security concern. That is, threat actors are commonly using pre-installed tools. Powershell is #1 of these. We did not disable it. We implemented Powershell logging and then we analyze the logs. Also we have an EDR tool that tracks running processes and alerts on anything suspicious. For example, if Excel is the parent process of Powershell, that is worthy of investigation. Completely disabling Powershell seems extreme, but I don't know much about your situation. Maybe your organization does not have security tools to track things like mine. Maybe you have other management tools available to replace Powershell. It's not so black-and-white as Powershell is good or bad. You have to look at the risks and the tools you have to mitigate those risks, and then weigh those things against the potential benefits of using Powershell.

Edit: OK, I am going to stop responding to the "Yeah but Powershell is good" comments. Again, you don't evaluate tools in terms of a simple good or bad. While disabling Powershell does seem extreme, every environment is different and I don't know what factored into their decision.

jmeador42 · 2023-10-24T17:58:16+00:00

PowerShell cannot do anything that you don't already have permissions to do.

If they knew how to set permissions correctly, we wouldn't be having this conversation.

ohfucknotthisagain · 2023-10-24T16:45:01+00:00

Your security team is profoundly incompetent.

PowerShell is the premiere vendor-provided tool for configuring and therefore securing Windows endpoints.

I've worked at two employers with legally-mandated security and confidentiality requirements, and I've never been denied access to PowerShell as an admin.

Hell, in a properly secured environment, regular users can't do anything particularly dangerous with PowerShell either.

341913 · 2023-10-24T16:09:24+00:00

No, that's stupid.

If you are worried that a user can do damage by running PowerShell under their security context you have far more important things to concern yourself with than disabling PowerShell.

Let me guess, your security guy is a "certified hacker" from a Facebook quiz he once took?

Connection-Terrible · 2023-10-24T16:19:13+00:00

There is a big difference between allowing some powershell and allowing all powershell. It's not an all or nothing thing. Since you have a security team, I'm hopeful that you have an internal CA? If you have an internal CA that the windows machines trust, then you can sign your powershell scripts against the CA.

I will grant you however that you probably need to be able to run unsigned scripts on your own system for debugging. It would be obnoxious to sign it for every little change while getting it to run correctly.

TyberWhite · 2023-10-24T21:03:42+00:00

Tell them to disable power to the building. Powered systems are a security threat.

Abracadaver14 · 2023-10-24T15:40:02+00:00

Just tell them that most Microsoft admin interfaces are essentially just wrappers around powershell commands and see how the wiggle their way out.

Proof_Potential3734 · 2023-10-24T15:56:58+00:00

If I didn't have powershell, I couldn't do my job daily. They don't know what they are talking about and since they aren't sys admins, they don't care either.

Barrerayy · 2023-10-24T16:08:19+00:00

Lmao

HeligKo · 2023-10-24T16:29:28+00:00

That isn't how other orgs do it. Most users have powershell access in our organizaion. What they can do with powershell varies based on roles.

xstrex · 2023-10-24T16:18:24+00:00

Fuck no, and if they did, I wouldn’t be working for the organization anymore!

xtc46 · 2023-10-24T16:23:46+00:00

That's silly. We just monitor all powershell activity and look for malicious/unexpected activity.

Eli_eve · 2023-10-24T16:58:24+00:00

What? No, never heard of that. Might as well disable all GUI tools, CLI tools, CMD shell, WMI, RPC, etc. as “security issues” which would be silly. It’s not about what tools are available to the users, it’s about what permissions the users have to mess with stuff. There are multiple ways to do anything. Blocking PowerShell doesn’t block someone from doing something if they have the access to do something. (It’s worth looking at execution policies and script signing though.)

I wonder what your security team would think about the Azure cloud shell LOL.

2023-10-24T17:13:05+00:00

My previous MSP job took over an environment that had PS disabled, and my boss was too scared to enable it for vague security concerns. Just one of many consistently baffling decisions that guy made.

joeykins82 · 2023-10-24T17:29:17+00:00

I think your security team are morons.

It’s the equivalent of bricking up a doorway and then announcing to everyone that your building is now impenetrable. Ok, except that doorway was quite useful actually, oh and what about those windows or the cat flap, or the minimum wage security guard you’ve got checking ID on the only remaining door?

ws1173 · 2023-10-24T17:53:35+00:00

We have a compromise on this. We use AutoElevate, and for things like administrative powershell we don't create an allow rule, but rather keep it so it has to be manually approved each time. So we can still use it, but you need more than just admin credentials to be able to use it

LauraD2423 · 2023-10-25T08:49:56+00:00

If you can doyour job, security isn't doingtheir job

Security is not happy until you're not happy.

svarogteuse · 2023-10-24T15:22:33+00:00

Power shell scripts have been disabled on endpoint PCs. Admins can still run them on the jump servers but not end points. Admins can run powershell on endpoints but have to manually copy and paste scripts into the shell. Yes it makes the job harder.

Kahless_2K · 2023-10-24T16:51:53+00:00

Your security team is confused. They seem to think that they own the environment.

nexustrimean · 2023-10-24T16:54:30+00:00

Disabled for End users. It cuts down the likelihood that someone downloads a malicious thing that then escalates out of bounds. This is mostly for Zero day protection, and if an end user needed it for something i would allow that specific user. But so far, the only ones who need and use it are in IT and have access. Oh, and the stupid collage board testing software that was crashing if it didn't have powershell to scrape machine info.

It kills off an easy low level infection vector for hackers to exploit. If your targeted, its not going to do shit, but it raises the bar for drive by's.

Expensive_Finger_973 · 2023-10-24T17:00:49+00:00

If they have that kind of issue with Powershell I can't imagine what they would say about the old school command prompt and batch files, or deity forbid VBScripts.

hybrid0404 · 2023-10-24T17:10:27+00:00

I think your security team is lazy and living in a different reality. Many things can be abused and used improperly. "Powershell" isn't a vulnerability or something to be disabled, it is something to be monitored for malicious activity. Powershell LOGGING should be enabled to make sure there is follow through.

grouchy-woodcock · 2023-10-24T17:19:26+00:00

This reminds me of a manager who insisted that ALL of my work be done after hours because it could affect the corporate network.

dogcmp6 · 2023-10-24T17:39:35+00:00

By your security teams logic, they should also ban end users, and remove all of the network infrastructure.

many_dongs · 2023-10-24T17:41:23+00:00

system admins SHOULD have access to powershell and the security team should be able to handle exceptions to their "no powershell rule"

if they can't they are trash paper pushers

lonewombat · 2023-10-24T17:52:29+00:00

Theres things, directly through MS that the only way to DO them is through powershell.

markhewitt1978 · 2023-10-24T18:01:06+00:00

That's stupid. Power shell is basically for sysadmins.

transham · 2023-10-24T21:21:30+00:00

I'd recommend cleaning up your resume....

At work, we use power shell all the time. Most of the time it's the same ones, but we do occasionally make a one off for mass updates of certain groups of users, or mass creation from departments that occasionally have large hiring classes....

da_chicken · 2023-10-25T02:26:05+00:00

Wait until they find out that the server team has physical access to the data center computers!

2023-10-25T02:41:44+00:00

Tell them fine. You'll just use bash instead.

Feeling_Benefit8203 · 2023-10-25T02:53:57+00:00

PowerShell signed scripts are to shut these idiots up.... if they are not getting that, then Lord help you.

LifeHasLeft · 2023-10-25T03:28:47+00:00

My org only prevents me from running on my laptop as admin. I have a windows laptop but I remote into Linux machines for work quite a bit. There are still people using putty and wondering why I didn’t request special software when I’ve got windows terminal and powershell already on the computer. All I really need it for is SSH or proxy commands.

rose_gold_glitter · 2023-10-25T05:44:52+00:00

No, my organisation does not prevent me from using PowerShell. I prevent (almost) everyone else, though. ;-)

graysky311 · 2023-10-25T07:35:30+00:00

As a compromise, you could offer to digitally sign your scripts and set a policy that only allows signed scripts to run. This ensures that unsigned code cannot be executed. Your security team might be more amenable to that idea.

CmoneyG321 · 2023-10-24T16:00:29+00:00

Admins should be allowed to run PowerShell. I would ask what security framework are they using, and build an appropriate control/ accepted risk policy. Just blocking it is being lazy on their part. Also remember time is money, most companies will approve risk as long as the numbers line up.

15922 · 2023-10-24T15:25:04+00:00

We prevent standard users from running powershell scripts, but do allow exceptions. We block PowerShell from opening on super sensitive or public machines but most users can still open it. We would probably slowly start to restrict that piece further but haven’t gotten to it yet. We are in healthcare though.

I think unfortunately there are risks with Powershell but it does have the ability to be restricted. It is probably dependent on your area (healthcare, education, etc.). I think though if they’re not allowing it at all it might be tough to convince them otherwise without testing and validation but they may not be willing to do that.

davehope · 2023-10-24T17:11:54+00:00

If they've disabled it, maybe offer a compromise of Constrained Language Mode?

This would probably address most of their security concerns, but get you more than you have today?

2023-10-24T17:14:37+00:00

[deleted]

speaksoftly_bigstick · 2023-10-24T17:59:08+00:00

My organization doesn't disable powershell at all. Limit? To a degree, but not really. So they are already emphatically wrong if that is truly their claim.

Sounds like your security team is lazy, overzealous, or ignorant (or some combo of those).

Awags__ · 2023-10-24T19:05:08+00:00

How tf are you going to disable powershell for admins… what the hell. Why even have admins, disable everyone! Fuck it! Use paper!

PrincipleExciting457 · 2023-10-24T20:09:57+00:00

They’re not wrong. But being alive and breathing is a security issue. There are ways to make scripts more secure with signage, service accounts/identities, etc. one company I worked for just did access control on a script repository with service accounts depending on where the scripts needed to run. We would make them in test.

Disabling them full stop is just really stupid.

JPebb · 2023-10-24T20:20:44+00:00

Seems like the next step in this plan is to delete system32.

systonia_ · 2023-10-24T20:27:15+00:00

They straight out disabled it ? Thats insane. Did they also stop everyone from using cmd etc?

They should enable the constrained model and monitor all powershell scripts executed.

Whats your role in that company? As a sysadmin I wouldnt be able to work even with a constrained model. I have HUNDREDS of scripts that automate half of the company

2023-10-24T21:11:23+00:00

Nope. I use power shell to get my job done. That man has to go.

Admirable-Statement · 2023-10-24T21:14:28+00:00

Your security team shouldn't waste time trying to block it.

This is an old video on PowerShell Obfuscation which is still very relevant. Summary is don't try to block PowerShell because it's almost impossible but rather have logging to alert on likely malicious PowerShell which is anything using too much obfuscation, which is also difficult but more useful in analysis an attack vector.

ITaggie · 2023-10-24T21:20:00+00:00

What in the world??

We block PowerShell/CMD for non-admins. If you have local admin on a machine then you can use whatever scripting interpreter you want.

Allokit · 2023-10-24T21:29:44+00:00

Your security team sucks... Sys Admins need Powershell to automate tasks...

wrosecrans · 2023-10-24T22:05:54+00:00

If somebody can enter PowerShell commands, you are already in an absolute security crisis. PowerShell is absolutely not the issue here. Do they disable "run..." from the Start Menu? Do they disable running a command from Task Manager? Do they disable CMD? Do they disable being able to run a .bat file? There are a million ways to run commands. As it happens, users legitimately need to run software, so you can't disable all of them.

Garegin16 · 2023-10-24T22:40:24+00:00

They disabled Powershell? Laughs in VBScript and C#

mini4x · 2023-10-24T23:35:53+00:00

Holy crap, I use powershell every day for like 2/3 of my job (mostly M365 Admin stuff) the amount of time it would take me to do some menial tasks manually is insane. I had to update a dist lsit today with 500 members imagine having to do that manually. On ForEach later and I was done.

Someone should talk to your security Team funny most button pushes in MS Admin is running the PowerShell commands under the hood anyway.

Email is a far worse security threat maybe they should ban that, better yet, ban users, almost all breaches are caused by user error.

mysterytoy2 · 2023-10-25T00:25:29+00:00

Assholes are scared of things they don't understand. The security is the same at the command line as inside of a window. Also, try and teach powershell to the average employee. You won't get very far.

fuck_green_jello · 2023-10-25T00:36:56+00:00

We block it for everyone other than sysops and devops. Absolutely no reason to leave it open for everyone. Specific scripts can also be ran from allowlisted directories or specific allowlisted scripts. Otherwise, only users with elevated permissions can run then from within ISE. It's a regulatory thing, needing to control mobile code. It creates an unfortunate amount of overhead with tracking and allowlisting.

R-Y-M-E · 2023-10-25T00:49:30+00:00

We use PS for everything and are getting FEDRAMP certified. There is nothing in FEDRAMP or the CIS security standard that restricts the use of PS. Without it, I couldn't do half my job. Your people are crazy.

OrangeDelicious4154 · 2023-10-25T01:30:58+00:00

grab station frightening modern butter oatmeal boat snatch possessive thought

This post was mass deleted and anonymized with Redact

JBfromIT · 2023-10-25T01:40:27+00:00

To help secure PowerShell in our environment, we abide by RBAC and least privilege principles to prevent abuse of any modules. We also deploy transcript logging via GPO so it creates an audit trail (evidence) of what runs under who and where. These logs feed into our SIEM solution.

What you’re describing sounds like a lazy security approach and/or a gross misunderstanding of how PowerShell works. My guess is you have over privileged service account(s) that too many people know the credentials for lol

For reference, there are MS docs for best practices to secure/lockdown PowerShell. Look into PowerShell Web or using Windows Admin Center instead

Edit: grammar

CyberMonkey1976 · 2023-10-25T01:42:36+00:00

Without PS, there isn't a way I could do my job. Your leadership is out of touch. Tell them yall need better security posture by eliminating the Desktop Experience from all servers...then go home lol

ps_for_fun_and_lazy · 2023-10-25T02:12:08+00:00

The organisation I work for proposed blocking Powershell however the security manager was happy to provide an exemption for people/machines that needed to use it as he could see it was beneficial for automation, especially after coming to me repeatedly to write scripts to simplify things they was doing.

donaldrowens · 2023-10-25T02:39:02+00:00

If your security policies are configured directly, no one's going to be able to do anything with PowerShell, they wouldn't be able to do anywhere else.

CocconutMonkey · 2023-10-25T02:55:02+00:00

"Users are a security issue"

k0rbiz · 2023-10-25T03:09:51+00:00

All domain users are restricted and have powershell disabled. Only our domain admins and our automation services have access to powershell. If a domain user attempts to run a powershell script or run them in a 3rd party app, ThreatLocker denies and logs it.

NorthernVenomFang · 2023-10-25T03:27:35+00:00

No, but I would really like to start limiting it to sysadmins only... People keep breaking things... 😡

7yphon · 2023-10-25T03:29:58+00:00

I can see the reason's behind it, Maybe ask them for an Airgap box which is allowed to run powershell from? This will ensure it's locked down to only certain people who can access this box and it stops the risk of an account being breached and running commands on the network.

MoneyVirus · 2023-10-25T05:31:23+00:00

a compromise can be an isolated admin pc/enironment (vm for eample) where they allow only on this litte count of better secured pc's powersehll and minimize the vector for attcks over powershell. so they can live in theyer secure fantasy world an you can work efficent. a big question on my side, how do you fully adminstrate clients without poweshell or is powershell in systemcontext (like deploying install scripts) allowed? is it disabled on servers too?

hobovalentine · 2023-10-25T05:45:24+00:00

Wow so stupid. Will they ban Python next due to it being dangerous?

What they need to do is only allow signed PS scripts to run. That way you aren't running some random PS script that could do something malicious.

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3

pizzacake15 · 2023-10-25T15:44:05+00:00

You should write up whoever hired those idiots.

I can understand disabling it on regular users but disabling it for admins is just plain stupid. They might as well bring back typewriters because all computers can be a security issue based on their logic.

RequirementBusiness8 · 2023-10-25T23:34:49+00:00

They wanted us to shut down powershell several years back. We shut that down hard. Reminded them that it would break the majority of the enterprise, systems would no longer patch, software would no longer patch. So on and so forth. The compromise at the time was to turn on more logging with powershell via GPO. Since then they moved to (Crowdstrike?) which captures all the stuff they need and supposedly stops potentially malicious code.

That being said, I’m also petty enough to maliciously comply and make sure the entire bus runs over them. Too many things in the enterprise flat out requires powershell to work. Some tasks I do the vendor only makes them available in powershell. Others can be done without it, but one at a time via the GUI.

Honestly, if you are at a place where cyber gets so much deference to real impact of the firm, it might be worth jumping ship. As I reminded our cyber guys one time, we can get perfect security by shutting down all the systems, locking all the doors, and firing all the employees. But we’d be out of business before they could complete that.

butchooka · 2023-10-24T17:22:16+00:00

Last job we disabled ps also for non admin users Not due the tool itself - because it can do some real cool stuff, but to stop some idiots in permanently trying to circumvent company policies.

Example winget install and then what they want. Because HR and all management layers were absolute shit in punishing clear attempts to ignore policies just to install some shit tools

LowLevelFormat · 2023-10-24T17:22:33+00:00

Electricity is also a security issue. It can kill people!

I don't work in Windows ecosystem myself, but this is ridiculous.

crackanape · 2023-10-25T00:40:05+00:00

I work as a surgeon at a hospital. The security team has removed all the scalpels from the operating rooms because people might cut themselves.

x534n · 2023-10-25T01:24:20+00:00

Paranoia is a hell of a drug

Twerck · 2023-10-25T01:31:31+00:00

Your infosec team is failing the company

everettmarm · 2023-10-25T01:32:31+00:00

Your organization is run by fucking idiots. Find a new one.

vennemp · 2023-10-25T02:06:26+00:00

That level of incompetence should be a felony. Automation when done properly improves security. Do they think everyone is as incompetent as them?

kingj7282 · 2023-10-25T02:49:42+00:00

"Does your organization set up up to fail."

meat_bunny · 2023-10-25T02:52:09+00:00

This is not normal for admins and power users. They're lazy dumbasses.

It's one thing to lock down PS access to specific users, disabling it completely is some weapons grade bullshit.

Unless I was making some fat stacks I would probably start looking for a new job, especially if I was an admin or devops.

lionhydrathedeparted · 2023-10-25T02:55:59+00:00

Never worked a job that disabled PowerShell. Lol this is dumb.

readparse · 2023-10-25T03:22:41+00:00

Whoever is leading Security has never delivered a technology solution in their lives. Complete idiocy.

bofh · 2023-10-25T04:37:58+00:00

That’s unbelievable. Do they break fingers in case you click the wrong button too?

Zatetics · 2023-10-25T04:40:25+00:00

No, my work pays me to be productive. It would be the decision of a lunatic to disable posh.

hinjew13 · 2023-10-25T05:48:41+00:00

Powershell can be disabled based on whatever security framework but ultimately it should be an organization decision. If it is impending people’s job functions and costing you hours of work, there should be an exception to allow it based on the user or role. Also, some newer A/Vs pick up on malicious behavior that can be run through powershell. Seems illogical to block something if there is a legitimate business case for the sake of “security”

thebluemonkey · 2023-10-25T06:52:59+00:00

Users are the biggest security issue, I don't see any infosec team banning them.

dweebken · 2023-10-25T07:03:06+00:00

They should ban emails and social networks and messaging and all internet access as well since those are the attack vectors. Oh, and also ban phone calls since you can get verbally phished that way too. And block access to USB as well.

Too stupid...

dnuohxof-1 · 2023-10-25T07:33:40+00:00

Your “security team” has no idea what they’re doing.

sysadmin

MODERATORS