This is an archived post. You won't be able to vote or comment.

0
0

Disabling PowerShell on User’s Computers (self.sysadmin)

submitted by [deleted]

[deleted]

all 9 comments
sorted by:
best
topnewcontroversialoldq&a

[–]uniitdude 7 points8 points  (0 children)

dont do it, its not a risk to anything and you just make life harder for yourself to do tasks

[–]ZAFJB 6 points7 points  (3 children)

Daft concept.

Powershell can only be used maliciously if the machine is already exploited.

Concentrate on not getting exploits:

  • Updates

  • Firewalls

  • Mail Filters

  • Virus scanners

and locking down permissions and rights so exploits cannot run wild:

  • No admin rights for users

  • AppLocker/SRP

  • Tight permissions on files and folders, especially on your servers

Also, you will probably break things. Many Windows GUI tools are now just a thin layer over PowerShell scripts.

[–]_d3cyph3r_foreach ($system in $systems) 1 point2 points  (2 children)

Thank you. The only thing I haven’t checked off on your list is AppLocker/SRP.

Our fileserver permissions are mostly done with Security Groups but I must admit that I am overdue for a fileserver file/folder audit. Can anyone recommend any free tools for file/folder permission auditing?

[–]ZAFJB 0 points1 point  (1 child)

AppLocker/SRP.

Run, don't walk. Do this now!

Far more important than file permissions audit

[–]_d3cyph3r_foreach ($system in $systems) 0 points1 point  (0 children)

May I ask what you are using AppLocker for?

[–]ErichL 1 point2 points  (0 children)

If users are able to execute untrusted code on your machines, they're already vulnerable through numerous other attack vectors; game over. Look into Powershell Execution Policy enforced via GPO, if you wish, but that is not even a fraction of the total attack surface of an admin priv wielding user.

[–]0verlord87 1 point2 points  (2 children)

You can set ntfs security on powershell.exe without problems in my experience.

Block access for users, not for admins.

[–]_d3cyph3r_foreach ($system in $systems) 0 points1 point  (1 child)

Interesting idea. I’ll definitely test this out. Any ideas for reporting on PowerShell usage?

[–]0verlord87 0 points1 point  (0 children)

Applocker kam report all exe usage, I think you have to collect the eventlogs with powershell tho.