Why should we not disable PowerShell?

Disabling PowerShell removes a crucial automation tool for security and administration tasks, potentially leading to unsupported environments and operational issues.

What are the main risks associated with using PowerShell?

Risks include exploitation by attackers if proper security measures are not implemented, such as logging, monitoring, and application whitelisting.

How can we secure PowerShell usage?

You can secure PowerShell by enforcing application whitelisting, using Constrained Language Mode, and implementing robust logging practices.

What is the significance of execution policies in PowerShell?

Execution policies are not security features but serve as a way to prevent unintentional script execution. They can be circumvented easily.

How does application whitelisting help?

Application whitelisting ensures that only approved and trusted scripts or executables can run, reducing the risk of unauthorized executions.

What is Constrained Language Mode?

Constrained Language Mode limits the functionalities available to PowerShell scripts that are not trusted, significantly reducing the capabilities of potential attackers.

How can older PowerShell versions affect security?

Older PowerShell versions may lack security enhancements and features, making systems vulnerable. Regular updates are necessary to maintain security.

What logging features are recommended for PowerShell?

Script block logging and module logging are recommended as they provide detailed records of what is executed, aiding in monitoring and incident response.

How can we manage PowerShell updates?

PowerShell can be updated through Windows Management Framework updates or package managers in a corporate environment.

What should be done about unauthorized code execution?

Implement and enforce application whitelisting to ensure only authorized code can run while monitoring for any unauthorized attempts.

PowerShell Security - Friedrich Weinmann - PSConfEU 2022

00:48:49

https://www.youtube.com/watch?v=M261YjSKj4w

摘要

TLDRIn this presentation, Fred from Microsoft discusses the relevance of PowerShell in maintaining a secure Windows environment while addressing concerns related to its potential misuse by attackers. He emphasizes that PowerShell, often perceived as a security risk, is actually vital for automation and administrative tasks. Fred provides strategies for organizations to manage and secure PowerShell use, including leveraging logging, execution policies, Constrained Language Mode, and application whitelisting. He outlines common misconceptions about PowerShell's security features and provides insight into best practices for integrating it safely into corporate environments.

心得

🔑 PowerShell is a powerful tool for automation and security.
🚫 Disabling PowerShell can lead to unsupported environments.
✅ Application whitelisting is essential for security.
🧐 Execution policies do not guarantee security.
🔍 Use logging to track and monitor PowerShell usage.
🔒 Constrained Language Mode limits script capabilities.
🛡️ Regularly update PowerShell to enhance security.
⚙️ Ensuring only trusted code runs is critical for protection.
📈 Security best practices must evolve with emerging threats.
🤝 Engage admins in secure coding practices for better compliance.

时间轴

00:00:00 - 00:05:00
The speaker, Fred, introduces himself as a custom engineer at Microsoft. He discusses the significance of PowerShell in his work and the common misconceptions about its security risks due to malware, especially among higher management who feel compelled to disable it rather than utilize its capabilities.
00:05:00 - 00:10:00
Fred emphasizes that despite the concerns surrounding PowerShell, it is actually one of the most secure languages available for automation. He uses a metaphor comparing cybersecurity to a castle, explaining that simply disabling PowerShell is akin to a false sense of security.
00:10:00 - 00:15:00
He points out that the idea of disabling PowerShell might seem appealing but is ultimately ineffective against real threats, as attackers have a variety of languages and methods at their disposal. He argues that understanding PowerShell and monitoring its use can provide greater security benefits.
00:15:00 - 00:20:00
To combat requests for disabling PowerShell, Fred highlights the importance of understanding its integration within the Windows ecosystem and that the entire system relies on it being enabled for proper function, which emphasizes the risk of disabling it.
00:20:00 - 00:25:00
Fred debunks the myth that execution policies in PowerShell serve as a security measure, clarifying that execution policies do not genuinely prevent malicious scripts from running. He discusses the importance of having the latest PowerShell versions to ensure security features are up to date.
00:25:00 - 00:30:00
He discusses the need for application whitelisting and controlling executed PowerShell versions to prevent potential exploits. He underlines the monitoring requirement, suggesting that version 2 of PowerShell should be uninstalled, but also points out the limitations in simply removing older versions from machines.
00:30:00 - 00:35:00
The talk highlights various security measures such as code signing, auditing remoting connections, and how to manage external code. Fred stresses that administrative processes should be rigid to maintain organizational security without posing significant operational disruptions.
00:35:00 - 00:40:00
Fred covers logging in PowerShell, distinguishing between its different methods and focusing on script block logging as the most effective method to understand what is being executed. He expresses the importance of continuous monitoring and an understanding of usage patterns for security events.
00:40:00 - 00:48:49
Finally, Fred wraps up with a reminder that proper implementation of these security practices requires an understanding of the technical landscape and process management within organizations. He encourages adopting source control practices and proper code approval workflows to bolster security.

显示更多

思维导图

视频问答

Why should we not disable PowerShell?
Disabling PowerShell removes a crucial automation tool for security and administration tasks, potentially leading to unsupported environments and operational issues.
What are the main risks associated with using PowerShell?
Risks include exploitation by attackers if proper security measures are not implemented, such as logging, monitoring, and application whitelisting.
How can we secure PowerShell usage?
You can secure PowerShell by enforcing application whitelisting, using Constrained Language Mode, and implementing robust logging practices.
What is the significance of execution policies in PowerShell?
Execution policies are not security features but serve as a way to prevent unintentional script execution. They can be circumvented easily.
How does application whitelisting help?
Application whitelisting ensures that only approved and trusted scripts or executables can run, reducing the risk of unauthorized executions.
What is Constrained Language Mode?
Constrained Language Mode limits the functionalities available to PowerShell scripts that are not trusted, significantly reducing the capabilities of potential attackers.
How can older PowerShell versions affect security?
Older PowerShell versions may lack security enhancements and features, making systems vulnerable. Regular updates are necessary to maintain security.
What logging features are recommended for PowerShell?
Script block logging and module logging are recommended as they provide detailed records of what is executed, aiding in monitoring and incident response.
How can we manage PowerShell updates?
PowerShell can be updated through Windows Management Framework updates or package managers in a corporate environment.
What should be done about unauthorized code execution?
Implement and enforce application whitelisting to ensure only authorized code can run while monitoring for any unauthorized attempts.

查看更多视频摘要

即时访问由人工智能支持的免费 YouTube 视频摘要！

字幕

自动滚动:

00:00:02
[Music]
00:00:16
thank you for joining us today again and
00:00:18
i very much appreciate all of your
00:00:20
energy to get up at 9 00 am sit here
00:00:23
after what happened last night
00:00:26
if i'm slightly wobbling around i might
00:00:30
still have some left over alcohol in the
00:00:32
blood but a little bit of fortification
00:00:34
won't hurt today
00:00:36
um yeah
00:00:38
i'm fred
00:00:41
i'm a custom engineer working for
00:00:43
microsoft um of the customer engineering
00:00:45
gig ads
00:00:46
you're officially assigned to some field
00:00:48
for example i'm infrastructure and
00:00:50
security
00:00:51
which is kind of nice but inside in
00:00:53
reality we get
00:00:54
fairly liberal about what engagements we
00:00:57
pick what topics we cover and to
00:00:59
everybody's surprise in the room no
00:01:00
doubt i pick powershell
00:01:02
lots of it every day
00:01:04
which is fun
00:01:06
and
00:01:09
this one thing when somebody in the
00:01:11
world files a ticket with microsoft if
00:01:13
the first line support can't handle it
00:01:15
that gets escalated internally into the
00:01:17
proper directions
00:01:19
so that somebody
00:01:21
marzinio might be able to help with that
00:01:24
and as it happens about once or twice
00:01:27
per month the following request ends up
00:01:30
on my table
00:01:36
now where does this request comes from
00:01:38
come from it's a
00:01:41
born of ignorance of people literally
00:01:44
being helpless not knowing what to do
00:01:46
they read in the newspapers that there's
00:01:48
a malware there's bad actors using
00:01:51
powershell to hack your environment it's
00:01:53
a danger it's a risk
00:01:55
so they want to turn it off
00:01:58
this especially comes admittedly from
00:02:00
this from the sea levels and they read
00:02:02
some tech paper because the cio kind of
00:02:04
wants to double in its old field i mean
00:02:06
we all know cio
00:02:08
classic acronym for carrier is over
00:02:11
it's it's a kind of bad fate that
00:02:13
happens to a technician that gets
00:02:14
promoted a few levels more than he would
00:02:16
really be comfortable with so whenever
00:02:18
you can make the time you try to read up
00:02:20
to stay with your with the reality of
00:02:22
your team but given the how busy your
00:02:25
life is at that level the chances are
00:02:27
you're not going to be able to do that
00:02:29
in full depth so that's where we get
00:02:31
this kind of request from
00:02:34
and yeah we have to deal with that
00:02:37
so what can we tell them
00:02:40
the first thing i really try to tell
00:02:42
them you know what
00:02:43
it might attackers might be using it but
00:02:45
actually
00:02:46
it's your best chance
00:02:48
it is
00:02:49
hands down the most secured language
00:02:53
that we have and at least from coming
00:02:55
from microsoft running on windows
00:02:57
and
00:02:58
you're not going to get a better thing
00:03:00
to automate your environment
00:03:02
and sometimes this table alone already
00:03:04
wins the deal
00:03:06
which i totally did not steal from the
00:03:07
homes
00:03:10
that said
00:03:12
often enough they still say hey i still
00:03:14
want to disable it
00:03:17
which uh yeah leaves us at the next
00:03:19
discussion point
00:03:21
when i try to secure an environment i
00:03:24
like to liken it to a castle or to my
00:03:26
home
00:03:27
and the attackers are the burglars
00:03:30
so when i try to shut down powershell
00:03:33
what protection level actually would
00:03:34
that get me
00:03:36
you see that's down there
00:03:39
that's the protection level as we all
00:03:40
know all know burglars come at night
00:03:43
they go over your lawn not just not the
00:03:46
road that might be booby trapped
00:03:48
they might not see the stone they might
00:03:49
stumble over it and break a leg and you
00:03:51
might be secure from that
00:03:54
that's about the protective level you
00:03:55
get from disabling powershell because
00:03:58
you just have to kind of look at the
00:04:00
dark net and what offerings there you
00:04:01
can get attack packages fairly cheaply
00:04:04
and quite a few of them say okay i'm
00:04:06
supporting 10 different attack languages
00:04:08
and if one of them is locked down okay
00:04:10
just take the other
00:04:12
and given all of these nice security
00:04:15
features especially in the logging my
00:04:17
opinion is in my statement officially
00:04:18
here
00:04:19
you should back on your knees you'll be
00:04:22
grateful to all the attackers that are
00:04:24
attacking you with powershell
00:04:26
that's it's kind of like you know it's
00:04:28
uh like putin would be uh phoning in
00:04:31
uh zelensky and say hey tomorrow i'm
00:04:34
gonna attack there
00:04:35
okay or today but this is my war plan
00:04:37
because they will be
00:04:39
signaling everything they're doing you
00:04:40
just
00:04:41
need to grab the data
00:04:44
so
00:04:44
we're at the level of placing a stone so
00:04:46
that's the security game it's better
00:04:48
than not having a stone it definitely
00:04:49
worked out for my aunt aren't that that
00:04:51
actual comparison comes from she
00:04:53
literally did have a burglar stumble
00:04:55
over stone
00:04:57
so
00:04:57
yeah but i don't think you want to rely
00:04:59
on being my aunt that doesn't probably
00:05:01
not we're going to repeat
00:05:04
so that's it i mean it's better than
00:05:06
nothing but
00:05:08
we might have some disadvantages when it
00:05:10
comes to our ability to defend ourselves
00:05:13
slightly
00:05:15
and at this point
00:05:17
some of them
00:05:19
still say i want to shut it down anyway
00:05:22
this discussion this even this picture
00:05:24
doesn't move them
00:05:25
so at this point comes
00:05:27
one of the most magnificent features i
00:05:30
have from tronning microsoft it is
00:05:32
something that revelation
00:05:35
revitalizes me so i'm to refresh it it
00:05:37
gives me so much and it's it's the
00:05:39
one of the absolutely most awesome
00:05:41
features for me with microsoft i can say
00:05:44
sorry not supported
00:05:47
before that i would like to i need to
00:05:49
find some blog posts do some
00:05:51
interpretation from the powershell team
00:05:52
tell them it's a bad idea now i can say
00:05:54
yeah you can try to do that but it is
00:05:56
not supported every machine you shut
00:05:58
down powershell on which you can
00:06:00
but every machine you shut down is out
00:06:02
of support
00:06:04
there's a very simple reason with that
00:06:06
our entire windows operating system team
00:06:08
only tests their operating system with
00:06:10
powershell turned on the scenario of it
00:06:12
being turned off as not being tested
00:06:14
and
00:06:15
things would go wrong i did test do the
00:06:17
testing because all of the maintenance
00:06:19
tasks are running powershell so if you
00:06:22
disable it your server is going to start
00:06:24
developing problems
00:06:27
okay at that point actually i usually
00:06:29
win if i don't if i don't win the
00:06:31
argument with that then i kind of say
00:06:33
okay then why are you raising support
00:06:35
ticket of microsoft
00:06:36
if you're not gonna care about what we
00:06:38
support
00:06:39
um yeah
00:06:41
so what do you do next
00:06:43
now there's there's one myth that comes
00:06:46
in right next because that is something
00:06:47
people are sure about
00:06:48
okay if we can't shut it down let's go
00:06:51
with execution policy
00:06:56
a common very common confusion is that
00:06:58
people actually believe execution policy
00:07:00
is a security feature it is not it has
00:07:02
never been it was never designed as a
00:07:04
security feature and there's this nice
00:07:06
blog post 15 ways to circumvent the
00:07:08
execution policy it's great
00:07:12
what is the execution policy
00:07:14
it was designed back in the days of 2008
00:07:18
where
00:07:19
we thought hey there's this internet
00:07:21
thing admins sometimes do stupid things
00:07:24
and we want them to think again if they
00:07:26
just download a random script and try
00:07:28
running it and they hope it solves their
00:07:29
problem
00:07:31
which
00:07:33
execution policy surprisingly enough did
00:07:35
not work very well out
00:07:37
as reality moved on what really happened
00:07:40
is that all of the code on the internet
00:07:42
is being posted on blog posts and github
00:07:44
and we just copy paste the content in a
00:07:46
local text file and the execution policy
00:07:48
doesn't realize it's a script from the
00:07:50
internet
00:07:52
uh
00:07:53
yeah and if you want to block everything
00:07:54
well who can work if we do literally
00:07:56
block everything
00:07:58
it still has its use if you're trying to
00:08:01
implement code signing in your
00:08:02
organization because you can tell only
00:08:05
code science scripts are allowed to run
00:08:07
and with that you can kind of bully your
00:08:08
admins into designing the script and not
00:08:11
working around the process they can
00:08:13
still do so but for the admin it's
00:08:16
annoying
00:08:17
it's it's never stopped an attacker but
00:08:19
admins will probably kind of follow the
00:08:21
path of least resistance and with that
00:08:23
code setting might be the path of least
00:08:25
resistance
00:08:29
so if that's not the solution
00:08:31
what then can we do
00:08:35
well for the first thing we can manage
00:08:38
what powershell versions we have because
00:08:39
all of her nice and shiny security
00:08:41
features don't work if the attacker is
00:08:43
using a powershell version that is out
00:08:45
of date and doesn't have those shiny and
00:08:46
new features
00:08:48
okay not so new anymore admittedly
00:08:53
yeah
00:08:54
we also have this one thing about being
00:08:56
us needing to prevent the execute the
00:08:59
use of older powershell versions
00:09:01
um
00:09:03
question to the audience who of you has
00:09:05
made sure that in your environment
00:09:07
older versions of powershell are
00:09:09
uninstalled that they are no longer on
00:09:10
the machine
00:09:14
now
00:09:16
yes everything older than 5.1
00:09:19
now
00:09:19
especially powershell version two you
00:09:21
get uninstall the feature you make sure
00:09:22
it's gone and you're safe right
00:09:25
no
00:09:27
yeah we'll be coming back to that but
00:09:29
you need a different way to disable it
00:09:31
we'll be looking at that
00:09:33
we control what code is being executed
00:09:36
and at the best way that we can do we
00:09:38
will look at how can we harden our
00:09:40
remoting
00:09:42
and at the same time get rid of some of
00:09:44
the myths that swirl around what you
00:09:47
should be doing there and what's the
00:09:48
actual effect of doing that because
00:09:50
there are some guidances and myths
00:09:52
around for example requiring https for
00:09:55
remoting
00:09:56
looking at that and finally um
00:09:59
remember how i said that you should be
00:10:01
thanking attackers for using powershell
00:10:03
that's because they tell us what they're
00:10:04
doing but we need to well kind of enable
00:10:07
that and look at it which is where
00:10:09
logging comes in
00:10:12
okay
00:10:13
chapter one
00:10:14
powershell versions
00:10:16
if you've got an older version in
00:10:17
windows 10 and 2016 you can update that
00:10:19
use windows management framework
00:10:22
supported for everything other than if
00:10:23
you're running exchange 2016 on 2012 r2
00:10:26
operating system
00:10:29
for version for powershell core the new
00:10:31
shiny powershell version
00:10:33
there is something we recently have
00:10:35
managed
00:10:37
and if you remember from day one the
00:10:39
night slides of powershell consumption
00:10:41
going through the roof with additional
00:10:43
runs uh operations being triggered i'm
00:10:45
fairly certain that integration into the
00:10:48
microsoft update cycle
00:10:50
is the main reason we have that search
00:10:52
of that you can literally deploy it
00:10:55
using whatever package manager you use
00:10:57
sccm
00:11:00
and get updates through wsus or just
00:11:03
straight microsoft update
00:11:06
there's one gotcha at the moment
00:11:09
and that as we only support that for 64
00:11:12
bits
00:11:13
powershell not for the x86 or 32bits
00:11:15
option you've got a question
00:11:19
okay
00:11:21
so with that we can make sure we also
00:11:23
don't accidentally drop out of support
00:11:25
for a
00:11:27
powershell core versions
00:11:29
so that's nice
00:11:35
i've got that so
00:11:38
for that i'm i hope you forgive me for
00:11:40
not doing a demo for how to update your
00:11:41
powershell
00:11:44
control code execution how can we
00:11:47
control what is being run
00:11:49
traditionally we have an approach for
00:11:52
that and it's called called application
00:11:54
whitelisting
00:11:56
we use app locker windows defender
00:11:58
application controller whatever it's
00:12:00
being called today i mean another
00:12:01
renaming thing for microsoft and i
00:12:03
didn't bother to look it up it might be
00:12:05
out of date tomorrow soon
00:12:07
um
00:12:09
we can white list applications
00:12:12
and that is where the main problem comes
00:12:15
from when you we're talking about
00:12:16
blocking scripting engines because the
00:12:18
application happens to be powershell.exe
00:12:21
or maybe
00:12:23
pwsh.exe
00:12:27
um or maybe not pad.exe
00:12:30
by the way if you catch somebody around
00:12:32
powershell and notepad you probably have
00:12:34
a problem in your
00:12:36
environment and yes i have had that
00:12:39
happen
00:12:40
um the key thing that we need to
00:12:42
remember is that actually powershell
00:12:44
lives in
00:12:45
system.management.automation.dll
00:12:49
and you can inject it into any any
00:12:52
process and run powershell whether
00:12:54
benignly or
00:12:56
maliciously
00:12:58
which by the way brings us back to you
00:13:00
uninstalling powershell version 2 on the
00:13:03
boxes has no effect
00:13:05
because the attacker can you can just
00:13:07
copy paste the perfectly legally signed
00:13:10
by microsoft version of
00:13:13
system.management.automation.dll in
00:13:14
version 2
00:13:15
and run a script there
00:13:18
so
00:13:19
what we need to do
00:13:20
is uh you want to
00:13:22
actually block all the versions of
00:13:24
powershell
00:13:25
is you need to block the binary which
00:13:27
you can do with a publisher rule because
00:13:29
it is signed by microsoft so you're
00:13:30
blocking
00:13:31
system.management.automation.dll the
00:13:33
product
00:13:34
signed by microsoft with the following
00:13:36
version or lower
00:13:38
that's how you can actually prevent the
00:13:40
attacker from shipping their own
00:13:41
versions
00:13:44
so
00:13:45
we don't actually have a process that we
00:13:47
are trying to block you're trying to
00:13:48
block the individual file the process is
00:13:50
executing and
00:13:52
a file we're trying to actually be
00:13:54
executing
00:13:55
now
00:13:56
not so much
00:13:58
i can
00:13:59
do
00:14:00
for example just co types my code on the
00:14:03
console i mean most of us do this most
00:14:05
of our work days
00:14:07
i can literally paste an entire script
00:14:09
into the console
00:14:12
i can have it as a start parameter in
00:14:14
powershell so there's no in a file i can
00:14:15
just
00:14:16
encode it command and provide a thousand
00:14:18
lines of code as a start parameter
00:14:20
or i could spin up
00:14:23
system.management.automation.dll in
00:14:24
my.net application
00:14:26
and um yeah load the code straight into
00:14:28
memory there
00:14:30
so in many cases
00:14:33
we don't have a file
00:14:35
and of that file based blocking is added
00:14:37
that end
00:14:39
it's it's never going to work
00:14:42
we had application whitelisting support
00:14:44
for powershell in powershell version 4
00:14:47
already
00:14:48
and if you did that there it would block
00:14:50
the script execution
00:14:52
but it would never provide the
00:14:54
protection by just you know reading the
00:14:56
file into memory and then executing the
00:14:58
text as code
00:15:00
so
00:15:01
in powershell version 4 that didn't
00:15:02
really work as we had hoped for
00:15:04
and we have the same problem for
00:15:06
antivirus software not just for how can
00:15:08
we prevent our execution but how can we
00:15:10
detect malware if you don't have a file
00:15:13
to scan and you've got file signatures
00:15:14
on your antivirus the antivirus is not
00:15:16
going to have so much fun and most
00:15:19
modern attacking for example fun x
00:15:22
control execution scheme the client code
00:15:24
is benign that they are executing in the
00:15:26
office micro and they would receive
00:15:27
their actual pay code using dns queries
00:15:30
by looking up text record of the actual
00:15:32
malware code
00:15:33
who amongst us is filtering dns records
00:15:38
yeah
00:15:39
so what we added is something called the
00:15:41
anti-malware scan interface we had a
00:15:44
great talk on that i think it was
00:15:45
yesterday
00:15:47
if you didn't attend that there's a
00:15:48
recording i can strongly recommend that
00:15:50
if you want to see how exactly it works
00:15:52
but what it really happens behind the
00:15:54
scene is you're submitting all the code
00:15:57
and any malware anti-malware service uh
00:16:00
antivirus can scan for it and tell you
00:16:02
that this malware don't execute it so
00:16:04
for some reason defender for example
00:16:07
is quite prejudiced against invoke many
00:16:09
cuts
00:16:10
i wonder why
00:16:13
now
00:16:13
there's two caveats about
00:16:16
benefiting from amsi or the mother scan
00:16:19
interface and that is first of all it
00:16:21
has a strict operating system
00:16:23
requirement
00:16:24
even if you install powershell 5.1 on
00:16:27
your old servers they don't get mz
00:16:29
because your old clients don't get mc
00:16:31
this is an operating system feature
00:16:33
and the other one is your antivirus
00:16:34
needs to support this if you have
00:16:36
defender yes it works
00:16:38
for some of the others you will need to
00:16:40
check with your vendor
00:16:42
do they support it do you need to do
00:16:43
anything to enable it i know at least
00:16:45
one software vendor that supports it but
00:16:47
you need to check one checkbox otherwise
00:16:48
you don't get it
00:16:51
yeah so that is how we can detect
00:16:54
fairly reliably malicious actors get
00:16:57
alerts get your
00:16:59
malware detection in your antivirus
00:17:01
console that's great
00:17:03
but at this point the attacker was
00:17:05
possibly still able to run some code i
00:17:07
mean we might have been able to block it
00:17:08
but
00:17:09
what if the attacker actually invented
00:17:11
their own virus and you hit by zero day
00:17:13
and the signature just doesn't exist yet
00:17:16
the application whitelisting approach is
00:17:19
hey only the thing that i'm allowing to
00:17:21
run is allowed to run
00:17:23
so that it has a great benefit we don't
00:17:25
need to know the actor as long as we
00:17:27
know you're not one of us
00:17:29
and
00:17:30
that would be great if you had it in
00:17:32
powershell but the
00:17:34
problems we're not filibuster you can
00:17:36
only run this file approach doesn't work
00:17:38
so what can we do
00:17:39
we have something called constraint
00:17:41
language mode and if you have an engage
00:17:44
application whitelisting of any kind
00:17:46
all powershell code will be run under
00:17:49
this mode
00:17:50
applocker is an option it's an easy to
00:17:52
deploy faster faster go option if you
00:17:55
want to a full security feature rather
00:17:58
than just defense and depth go for
00:18:00
windows defender application control or
00:18:02
equivalent things that actually
00:18:04
work at the kernel level properly
00:18:08
but applocker is something you can
00:18:09
deploy in a few minutes and get some
00:18:11
protection out of it
00:18:14
constraint language mode that is the
00:18:16
main feature that we have what does it
00:18:18
say if our code is not trusted
00:18:21
you don't get all of the things power
00:18:23
can do
00:18:25
for
00:18:26
example you can
00:18:28
not call any net methods most properties
00:18:31
are read only on objects
00:18:33
some commands may not work at all
00:18:36
for example there's this nice command
00:18:38
called enter ps host process
00:18:40
that allows you to
00:18:42
inject yourself into the powershell
00:18:43
console of your co-worker on the machine
00:18:46
and then execute code in the context of
00:18:48
your co-worker who might be kind of
00:18:49
pieced if you you know
00:18:51
a domain admins group or take a global
00:18:54
admin in your tenant in his name but
00:18:55
with your ideas behind that
00:18:58
and that doesn't work anymore if you
00:19:00
when you have that enabled
00:19:02
you can't do powershell classes you
00:19:03
can't do a tab you don't have any access
00:19:05
direct access to the windows apis
00:19:08
we just can on all the known malware
00:19:11
that we have in our defender database
00:19:14
that uses powershell
00:19:15
and more than 99.9 of all attacker
00:19:19
scripts would not run in this
00:19:22
mode yes
00:19:26
yes
00:19:28
powershell 7 does also support
00:19:30
constraint language mode it applies the
00:19:32
same rules
00:19:34
and the same considerations
00:19:37
so if turning on application white
00:19:39
listing actually enables constrained
00:19:41
language mode what about our own code i
00:19:44
mean yes it's nice you're blocking the
00:19:45
attacker but we probably don't want to
00:19:49
you know block the official admin code
00:19:54
there are
00:19:56
some
00:19:56
ways to solve the problem for example
00:19:58
you could explicitly white list any
00:20:00
modules stored on the c programs
00:20:04
program files
00:20:05
windows powershell modules pathwhite
00:20:07
listing any module that you're right
00:20:09
listing or if you got code signing
00:20:11
implemented strongly recommended you
00:20:13
could whitelist your signer certificate
00:20:15
if you do that
00:20:17
any code that is trusted
00:20:19
is
00:20:20
allowed to run uninhibited
00:20:23
of course that also means you need to
00:20:25
make sure that an attacker cannot use
00:20:27
your trusted code to run turn untrusted
00:20:30
code into trusted code
00:20:32
for example if you're using invoke
00:20:33
expression in your own trusted code and
00:20:35
taking the input and invoking it you
00:20:38
probably have the powershell equivalent
00:20:39
of a sql instruction
00:20:42
not always great
00:20:44
yeah
00:20:46
you can also affect and that is the main
00:20:48
deployment trick to get it deployed
00:20:50
swiftly you can exclude elevated
00:20:53
processors from this
00:20:55
so it only applies to regular
00:20:58
consoles
00:20:59
very
00:21:00
handy and this is the next one if you're
00:21:03
writing powershell modules even if
00:21:05
you're wise listing it if you've got
00:21:07
this nice
00:21:08
functions to export wildcard thing going
00:21:11
on because it's convenient because it's
00:21:12
easy
00:21:14
you will not have a great experience
00:21:15
because whitelisted or not powershell is
00:21:17
going to tell you no
00:21:24
in order to ensure integrity you cannot
00:21:26
dot source a trusted script in an
00:21:28
untrusted context which by the way means
00:21:30
you can never white list your powershell
00:21:32
profile
00:21:33
never
00:21:34
because the profile is being dot sourced
00:21:36
into the powershell process as it starts
00:21:39
what you would do instead is you put
00:21:41
your profile as a content as a
00:21:43
powershell module that you whitelist and
00:21:45
then in your untrusted profile you
00:21:46
import the module
00:21:51
all right enough talking
00:21:55
let's
00:21:56
take a look at how we do that now the
00:21:58
first thing we need is something that
00:22:01
actually
00:22:02
gives us a level of uh
00:22:05
opera operability when we define the
00:22:07
rules we don't want to handcraft
00:22:09
everything and there is a tool by a
00:22:12
certain guy called aaron margosis
00:22:14
called aaron locker
00:22:16
it's moved he's moved on from microsoft
00:22:18
was a security architect previously
00:22:21
and
00:22:22
well
00:22:24
he did a scanning tool that will
00:22:28
take a reference machine and scan it for
00:22:33
configuration and then generate a
00:22:36
policy set to
00:22:37
well
00:22:39
secure a machine including powershell
00:22:40
rules
00:22:43
for that
00:22:45
let's
00:22:47
start a powerful process in the folder
00:22:51
and all we need from that
00:22:53
solution is the
00:22:54
create policies command
00:23:03
it is now scanning the machine and
00:23:05
generating proper
00:23:14
damn it
00:23:15
the demo god still got me i really
00:23:17
should have i should not have taunted
00:23:18
them
00:23:20
do we have that lying around
00:23:24
i don't so i'm going to um
00:23:27
swiftly steal that
00:23:30
from my most trusted automated lab
00:23:32
solution which in lab sources has
00:23:35
tools this internals and there's access
00:23:38
check right there
00:23:40
thank you raymond
00:23:44
so let's try this again with less red
00:23:46
stuff
00:23:49
okay um
00:23:51
when you do path white list and we do
00:23:53
have a habit of like you know see
00:23:54
windows and the program files are going
00:23:55
to be safe right
00:23:58
actually in undersea windows there are
00:23:59
quite a few folders users are allowed to
00:24:01
write and we need to have an exemption
00:24:03
for that because if you just whitelist
00:24:04
windows folder
00:24:06
you could for example use the the folder
00:24:08
used for spooler spooling tasks to just
00:24:11
create a file there and run it from
00:24:12
there and it's whitelisted
00:24:14
not a good choice
00:24:16
so we have that now we need a gpmc dot
00:24:20
msc
00:24:22
and let's say i want my
00:24:26
servers to be subject to
00:24:29
um
00:24:38
yes i know this is only a link and i'm
00:24:40
going to edit it anyway
00:24:44
edit
00:24:47
[Music]
00:24:49
where the hell was that
00:24:51
under security settings
00:24:53
we have
00:24:55
lots of information and one of them is
00:24:57
the application control policies which
00:25:00
is applocker
00:25:02
for that we can now import a policy file
00:25:04
if we have one at hand
00:25:07
which we have here in the outputs we
00:25:09
have
00:25:11
two policies
00:25:12
one of them is audit the others enforce
00:25:14
if you use the audit policy
00:25:16
you get warnings in the event lock but
00:25:18
it does not actually enforce anything so
00:25:20
if you want like get your feet wet see
00:25:22
what would happen if i turn this on you
00:25:24
use the audit policy and you just get
00:25:26
warnings and you can plan for the
00:25:28
migration if which somebody would
00:25:29
actually be stopped by that
00:25:34
okay we need to import a policy
00:25:38
i'm going to go to that folder grab the
00:25:42
now let's go with enforcement i mean
00:25:44
what could possibly go wrong
00:25:47
yep i want to import that
00:25:49
none were removed 95 for edit and we now
00:25:52
have applocker policies
00:25:54
for example we have now at the seller
00:25:55
powershell version two rule in here
00:25:57
pre-configured for us
00:25:59
which when we look inside is a publisher
00:26:02
rule with the
00:26:03
publisher product
00:26:05
name
00:26:07
file name and the specific version we're
00:26:09
requiring requiring
00:26:12
and if that all older versions of
00:26:14
powershell are blocked whether it's the
00:26:15
built in one or somebody ships it in
00:26:18
piece of warning if you're supporting
00:26:20
sql servers they've got a powerful agent
00:26:22
and depending on the sql server agent
00:26:24
that powershell version is lower than
00:26:26
5.1
00:26:28
so you might accidentally block a sql
00:26:31
server automation
00:26:36
all right with all that we now have
00:26:38
amongst other things script rules with
00:26:41
the various paths that are explicitly
00:26:43
white listed
00:26:44
including the windows folder which has
00:26:46
exceptions for all of the files that
00:26:48
actually users can write to
00:26:50
freshly scanned if you've got a modified
00:26:52
device
00:26:53
it's going to pick that up so you pick
00:26:54
one representative
00:26:56
machine and that's it
00:26:59
the other thing we need to do is enable
00:27:01
one certain service and make sure it's
00:27:03
running
00:27:06
where do i need to go for that
00:27:15
not that it's in control panel settings
00:27:17
services
00:27:20
new
00:27:21
service and the thing service that we
00:27:23
need is the app id service
00:27:26
which absolutely should be started
00:27:29
and it needs to be automatic
00:27:32
if you don't run that service that is
00:27:34
what actually passes through the
00:27:35
applocker rule to the system and
00:27:37
enforces it
00:27:38
it doesn't work which by the way is the
00:27:40
absolute proof in case you're wondering
00:27:41
that app locker is not um
00:27:44
not a security feature but a defense
00:27:45
in-depth feature because anybody who
00:27:47
gains local admin can simply turn off
00:27:49
that service
00:27:51
or inject their own wireless
00:27:54
whitelist everything rule and
00:27:57
keep the servers running to avoid the
00:27:58
signals
00:28:03
all right
00:28:05
that's sad
00:28:08
how does execution policy at the
00:28:10
constraint language would actually limit
00:28:12
our coding
00:28:16
system
00:28:17
less typos threat and it actually might
00:28:19
work
00:28:20
it's still optimistic but
00:28:24
maybe i can actually yes
00:28:28
so let's resume resolve localhost and
00:28:32
see what it's going to do it works just
00:28:34
fine if you want to check your current
00:28:37
language mode you can do that with the
00:28:39
dollar execution context
00:28:41
session state
00:28:42
language mode so i'm in full language
00:28:45
mode i can do whatever i want on the
00:28:47
machine
00:28:48
as long as i've got the necessary
00:28:49
privileges actually but the language
00:28:51
features are not disabled in any way so
00:28:54
i'm just going to
00:28:55
for this demo because i
00:28:58
don't want to actually wait for a group
00:29:00
policy application to properly work the
00:29:02
service and everything i can actually
00:29:04
enforce constrained language mode if i
00:29:06
actually
00:29:08
don't forget the language part
00:29:10
no what did i mess up that yeah without
00:29:13
the mode
00:29:16
all right we are now
00:29:20
locked down
00:29:21
and if i now try to do the result thing
00:29:24
that's the error that i get
00:29:32
yeah we're locked on and we locked i
00:29:34
flocked on the process and every new
00:29:35
process that our start
00:29:37
is going to be affected by this
00:29:39
as long
00:29:40
as long
00:29:41
as the user's temp folder is locked down
00:29:45
by the policy if you whitelist the temp
00:29:47
folder
00:29:48
the console will not go into constraint
00:29:50
language mode
00:29:52
so let's fix that
00:29:58
code signing um
00:30:00
would go around that as long as the
00:30:02
policy is applied so if i had the gpu
00:30:04
update applied
00:30:05
id service running and everything i
00:30:08
tried to run the file the file would not
00:30:10
be in constraint language mode if i have
00:30:12
that signed by a trusted certificate
00:30:14
that is whitelisted by a rule it's not
00:30:16
enough to just be trusted it needs to be
00:30:18
whitelisted
00:30:21
so let's go back to full language
00:30:26
uh yeah
00:30:30
no
00:30:31
constraint language mode i can't write
00:30:32
to any properties anymore so
00:30:34
bootstrapping me back into full language
00:30:36
mode is
00:30:37
a losing game
00:30:41
so let's kill the console and the reason
00:30:43
i actually
00:30:44
try to not lock myself down is because i
00:30:47
need to run a few more samples
00:30:50
let's say we are planning this whole
00:30:51
thing out we've talking with teams and
00:30:54
they are kind of wondering will our code
00:30:56
be affected by constrained language mode
00:30:58
i mean you've got a huge code base and
00:31:00
which of these scripts might be at risk
00:31:02
you can't enable the auditing and see
00:31:04
the error events happen
00:31:06
but wouldn't that be kind of useful to
00:31:08
have a scanner to do this for you
00:31:11
so let's
00:31:13
take a look at this nice script so
00:31:15
a script i wrote for
00:31:17
figuring out
00:31:18
uh a d delegation and writing the
00:31:21
results somewhere this is
00:31:23
usual working script
00:31:24
let's see how that would be affected
00:31:33
i need this inner size you folks can
00:31:35
actually follow and i think size 2 14 is
00:31:37
not the answer to that
00:31:41
okay it's not going to work here but
00:31:43
there's a module called ps module
00:31:45
development
00:31:47
it's my personal development um
00:31:51
toolkit templating refactoring
00:31:54
dot net searching restarting my console
00:31:56
as admin whatever i really need and it
00:32:00
also
00:32:01
includes a
00:32:02
certain command
00:32:04
okay now that doesn't work out
00:32:07
um it has a test
00:32:09
psmd
00:32:11
clm compact controllability
00:32:14
[Music]
00:32:16
clm compatibility command
00:32:21
and with that i can specify the path and
00:32:23
it's complaining about every single
00:32:24
thing that's going to go wrong
00:32:27
if you run this in
00:32:28
non-compact mode
00:32:35
all right uh damn it uh
00:32:39
totally hitting this getting cut down by
00:32:43
having less time for the whole thing uh
00:32:45
i think ready right here sorry about the
00:32:47
scheduling issues i'm going to have to
00:32:49
skip a few of the next demons because i
00:32:51
need to cover a few more things you
00:32:52
probably have some questions and we only
00:32:54
have so much time so i have to skip the
00:32:56
other demos for that
00:32:59
when we try to configure remoting how
00:33:02
can we make our system safe
00:33:06
the group policy settings are clearly
00:33:07
separated between server and client that
00:33:10
is not the operating system reference
00:33:12
the client is the source of the
00:33:13
connection the server is the recipient
00:33:15
of the connection no matter what this
00:33:18
does
00:33:19
we can configure where we want to accept
00:33:21
accessions from using the firewall
00:33:24
there's a setting enable powershell
00:33:26
remoting and then you can like specify
00:33:28
an rp range this is not where you're
00:33:31
accepting sessions from this is a filter
00:33:34
to your local network adapters on which
00:33:36
network adapter do you want to receive
00:33:38
the connection on
00:33:40
so that is why wildcard is the usual
00:33:42
recommendation there because it just
00:33:43
means every network adapter and that's
00:33:45
it
00:33:46
you want to filter that if you for
00:33:47
example you've got a machine that has a
00:33:49
public interface and a management
00:33:50
interface and you only want to accept
00:33:52
connections from the management
00:33:53
interface
00:33:55
and we have authentication options
00:33:58
that's like for example do you allow
00:34:00
basic authentication
00:34:03
the basic authentication thing is one of
00:34:05
the classic myths that we encounter
00:34:08
specifically for exchange online admins
00:34:10
and
00:34:11
people that have to go work with the
00:34:14
security compliance center module
00:34:16
because if you wanted to administrate
00:34:19
exchange online you would be forced to
00:34:21
enable basic authentication for the
00:34:23
client
00:34:25
now
00:34:26
when when a security admin hears basic
00:34:29
authentication that's like of are you
00:34:31
are you trying to
00:34:33
ritually sacrifice my child are you what
00:34:35
the hell are you trying to do your basic
00:34:37
authentication that was in the 90s maybe
00:34:40
why would you do basic authentication
00:34:42
um
00:34:44
well
00:34:45
turns out that uh the winner m service
00:34:48
that is operating the connection
00:34:51
has no concept of modern alpha
00:34:54
so if you put an enable basic
00:34:56
authentication put some network trace in
00:34:57
there what exchange online module and
00:34:59
the others
00:35:00
did
00:35:01
is they would first do modern off
00:35:03
against azure id and the basic
00:35:05
authentication would actually be the
00:35:06
token
00:35:07
so you're doing modern authentication
00:35:09
service just has no way to detect that
00:35:13
so that's why i did that there is one
00:35:16
important thing for all of the security
00:35:18
folks out there
00:35:19
in powershell you cannot force anybody
00:35:22
to do basic authentication from the
00:35:23
server side you can't trick them into
00:35:25
your downgrade attack to use a less
00:35:26
secure protocol to send an unencrypted
00:35:29
password you can't do that the user
00:35:32
needs to explicitly request that
00:35:35
so allowing from the client side the
00:35:37
basic authentication does not actually
00:35:39
incur any additional risk unless you've
00:35:40
got somebody who's trying to force it
00:35:45
yeah
00:35:46
you can also mess with the network
00:35:48
settings for example you can tell that
00:35:50
you must
00:35:51
use https for your connection
00:35:54
if you do that
00:35:56
you get absolute security obviously
00:35:58
because you know hdp by default so
00:36:00
powershell is working unencrypted
00:36:04
now we just don't do transport level
00:36:05
encryption
00:36:06
it's if you've got a default domain
00:36:08
you've got is 256 through camera
00:36:10
software of crabbers communication so we
00:36:12
do encrypt the packets
00:36:14
the only
00:36:16
real safety you get when you use enable
00:36:17
https is if somebody has a reason to use
00:36:20
ntlm authentication because an ntlm the
00:36:23
client does not authenticate the server
00:36:26
and that you can do with the certificate
00:36:28
but that's the only security you get
00:36:30
here so
00:36:31
it's only relevant if you still use ntlm
00:36:33
authentication for something
00:36:35
and a big surprise managing the
00:36:38
certificates is kind of annoying because
00:36:40
the auto enrollment and auto registering
00:36:42
in winrar and this doesn't really help
00:36:43
me so you have to manage that as well
00:36:45
so you get administrative overhead the
00:36:48
security is gain is very situational
00:36:53
yeah i could show you the configuration
00:36:56
option options and how that i will add
00:36:57
the exported policies on all of the
00:37:00
settings that you're seeing in the
00:37:01
materials when it's on the github for
00:37:03
looking them up but i think um seeing me
00:37:05
operate the crew policy console is not
00:37:07
going to add much to the session
00:37:10
so we're skipping that
00:37:12
which leaves us with logging
00:37:15
in powershell we have three separate
00:37:17
logging options we can do transcript
00:37:19
logging which we can do since the age of
00:37:21
powershell 2. we've got module logging
00:37:23
since the age of powershell 4 and we
00:37:26
have script block logging which we have
00:37:27
since powershell 5.
00:37:29
transcript has the nice advantage that
00:37:32
it actually shows also what have been on
00:37:33
screen which is great for debugging
00:37:35
purposes it's not so great from a
00:37:36
security perspective because a you need
00:37:39
to do log rotation b it's clear text
00:37:42
c somebody might have accidentally
00:37:44
leaked something sensitive on the
00:37:45
console screen which previously was not
00:37:47
noticed but now is in clear text
00:37:49
unencrypted text file on the screen
00:37:51
or you might have some privacy concerns
00:37:53
if you've got a user actually using
00:37:54
powershell for its online banking i mean
00:37:56
i haven't seen that but i wouldn't
00:37:58
exclude the possibility
00:38:01
um yeah so a script transcript blogging
00:38:03
i strongly
00:38:05
advise against that as a global security
00:38:07
feature you can do that for your actual
00:38:09
logging in a script
00:38:10
i would like to talk to you about ps
00:38:12
framework if you do
00:38:14
but
00:38:15
yeah
00:38:16
module logging is
00:38:18
well the lesser brother of script
00:38:20
loggers i really just recommend going
00:38:21
with script block logging which will
00:38:23
give you the same information in the
00:38:25
event log as the mz gets so you get a
00:38:28
full script block that's every code
00:38:29
that's being run
00:38:31
if you enable that you still need to
00:38:33
ship the lock somewhere so
00:38:35
yeah
00:38:36
handling that is a bit of the hard part
00:38:38
it's
00:38:40
you still need to analyze that and there
00:38:42
is
00:38:43
not all that much aid that you can get
00:38:45
from microsoft from that so far
00:38:47
so we just say hey do the logging and do
00:38:49
whatever you think you need to do
00:38:51
detection afterwards i'm currently
00:38:53
working on a module to help you with
00:38:55
that to
00:38:56
help analyze what script is running on
00:38:58
which machines you can do pattern
00:38:59
detection for example the maintenance
00:39:01
script that every client is running
00:39:03
and so you can see um can identify known
00:39:06
scripts and identify anon script and
00:39:08
then start investigating on that
00:39:10
but that's not quite done but i will
00:39:12
definitely be announcing that on twitter
00:39:14
once it's ready
00:39:17
yeah there are a few other things we can
00:39:19
do just a quick checklist i'm definitely
00:39:21
not going to demo that here
00:39:23
because that is entirely separate calls
00:39:25
at talks to have there's another two
00:39:28
hours a session just on how to do
00:39:30
properly released thing but you want to
00:39:32
look into how to
00:39:34
imple release your own code and how to
00:39:36
accept foreign code
00:39:39
so you can actually safely use public
00:39:41
modules
00:39:42
which includes code signing and internal
00:39:45
source control
00:39:46
and if you've never used it there's a
00:39:48
just enough administration it's a
00:39:50
powershell remoting feature that allows
00:39:52
you to delegate individual processes
00:39:54
rather than control over the entire
00:39:56
system
00:39:57
scenario help desk terminal servers help
00:40:00
this with gi you could authorize the
00:40:02
help desk user to
00:40:04
send a message to the user figure out
00:40:05
who's logged on and turn off sessions
00:40:08
that are hanging but not anything else
00:40:10
if you don't use chair you basically
00:40:12
have to construct your own constructor
00:40:14
give them local admin on each terminal
00:40:16
server which let's be honest i don't
00:40:18
want to do with help desk users mostly
00:40:22
final slide then you're done with the
00:40:24
powerpoint mess
00:40:26
sorry about that
00:40:27
about the rush um now that we've got a
00:40:30
lot of features but how do we actually
00:40:32
implement it how do we go now go about
00:40:34
bringing this into reality is there's a
00:40:36
recommendation there i strongly
00:40:39
recommend that you nail down the
00:40:41
remoting
00:40:42
just uh if you've got um just you know
00:40:45
only allow powershell remote connection
00:40:47
from an admin network because users
00:40:49
really don't have a reason to connect to
00:40:50
each other with partial remoting
00:40:52
that would solve a lot of the lateral
00:40:55
movement from client to client the
00:40:57
hardship here is you of course need to
00:40:58
have a network an administrative network
00:41:01
to identify
00:41:03
which might be not quite as trivial
00:41:06
process than just
00:41:09
setting up some firewall rules
00:41:11
the other one i recommend is doing app
00:41:13
locker in user mode so you
00:41:16
only affect non-admin processes
00:41:19
and deploy constraint language mode
00:41:22
this actually can be done in five
00:41:23
minutes and uh
00:41:25
massively impacts what an attacker can
00:41:27
do in the user mode on an affected
00:41:29
client
00:41:30
and it usually has absolutely no side
00:41:32
effects on regular
00:41:34
processes
00:41:37
the logging
00:41:38
enabling it is fast managing it and
00:41:41
getting useful action is a pro as a
00:41:43
process that's going to be ongoing so
00:41:46
that's not something
00:41:47
swiftly done over it's more something
00:41:48
you put into as part of your
00:41:51
risk management process
00:41:53
and finally
00:41:55
you want to have internal code
00:41:57
management you want to have internal
00:41:59
approval process for external modules
00:42:01
you want to have a way to
00:42:03
centralize this so you can share that
00:42:05
with other teams so you don't have that
00:42:07
redundancy inside of
00:42:10
inside of your organization because it's
00:42:12
a fairly expensive process to actually
00:42:15
approve
00:42:16
external code because you have to have
00:42:17
to do the review
00:42:19
and the last one is one i must admit
00:42:21
i've never managed to establish fully in
00:42:24
an environment
00:42:25
that we have a full hard enforcement
00:42:28
that only whitelisted code only approved
00:42:31
code for the process only that this code
00:42:33
signed can be used internally because
00:42:35
that really puts requires all of the
00:42:38
other processes to already be in place
00:42:41
that said there is one more advice
00:42:44
that incredibly helps with adoption as
00:42:47
soon as you possibly can
00:42:49
get your admins to use source control
00:42:52
even if it's just so they have an unlike
00:42:55
an online version of their code they
00:42:57
have a master version that is the true
00:42:59
copy of the script they don't even have
00:43:00
to share that with their co-workers
00:43:02
but a lot of the advanced workflows are
00:43:05
only possible if you already use source
00:43:07
control for getting a code signing
00:43:09
pipeline for getting a proper approval
00:43:12
process
00:43:13
and
00:43:13
if you'd also have to now start teaching
00:43:16
your admins at the same time the tools
00:43:18
needed you get a lot of internal
00:43:19
resistance to all of the change you're
00:43:21
forcing on them if you start them off of
00:43:24
source control just for you know having
00:43:26
a backup of the two having in case the
00:43:28
client crashes having a central location
00:43:31
that's something you can't do swiftly
00:43:33
and they can already get used to the
00:43:34
tools so they only have to master the
00:43:36
new process later on
00:43:38
otherwise i've had at least two projects
00:43:41
basically stop at that stage simply
00:43:43
because the admins rejected the
00:43:45
having to master the tools in the pros
00:43:47
and everything but because it was one
00:43:48
large package
00:43:52
thank you everybody um now it's a bit
00:43:55
less time for that than i really hoped
00:43:57
for but
00:43:58
any questions
00:44:05
yes
00:44:08
can powershell 7 be updated through ws
00:44:11
yes it can
00:44:13
yes
00:44:16
again only 64-bit not 32-bit
00:44:19
yes
00:44:33
i would do individual exemption for
00:44:35
those
00:44:37
the developer machines basically give
00:44:39
them a give them a machine a virtual
00:44:41
machine or vdi environment in a
00:44:43
test environment where they cannot
00:44:44
corrupt the environ organization
00:45:04
[Music]
00:45:14
it used to work in my lab environment
00:45:16
right after the announcement when i
00:45:17
tried it
00:45:18
but um i don't know whether it's broken
00:45:21
again in the current state
00:45:23
i have to look that up in the i also
00:45:26
have to
00:45:27
set up a lab for that and iterate that
00:45:29
through but
00:45:42
okay how do we handle sscm clients with
00:45:45
unsigned code
00:45:48
the sccm client has a dedicated folder
00:45:51
value to putting their code before
00:45:53
executing it the script code
00:45:55
you whitelist that path
00:45:56
it is a path where only the system has
00:45:58
write access to by default which you
00:46:00
should of course be monitoring for
00:46:02
whether somebody managed to modify that
00:46:04
but
00:46:06
you can do a pathfight list to solve
00:46:07
most of those problems also to make sure
00:46:11
you actually catch that
00:46:12
you can also
00:46:15
do two more things one most of the scm
00:46:17
agent scripts are run as administrator
00:46:19
so as long as you only do the
00:46:22
non-admins are affected to rule
00:46:25
those agent tasks will not be affected
00:46:27
the second part is you could also and
00:46:30
should do an initial
00:46:32
audit mode and just check for whether
00:46:34
they would be affected
00:46:36
in the event log you see where the file
00:46:38
would have been so you can analyze an
00:46:40
automatic filter for
00:46:42
warnings about applica
00:46:44
or similar blocking them
00:46:46
for that sccm folder path
00:46:50
that's another way to handle the ssm
00:46:52
client thing
00:46:56
one more question
00:46:58
um
00:47:12
um that is not part of the security
00:47:15
feature of script blog logging or
00:47:16
anything like that it's the powershell
00:47:18
module called ps readline which
00:47:20
maintains an input history in your app
00:47:22
data folder
00:47:24
you can grab the path for that um let me
00:47:28
do that one real quick that is
00:47:31
fast to do
00:47:33
so get ps
00:47:35
read
00:47:38
line option
00:47:39
you can see the path where it's saving
00:47:41
your history here
00:47:44
it is merely your input history it tries
00:47:46
to filter to avoid secrets
00:47:49
but if you do like a dollar p equals
00:47:52
quote clear text password quote you're
00:47:55
not giving ps3 line much to work with
00:47:58
so if you accidentally leak a secret
00:48:00
there you might want to check that file
00:48:02
whether it's in there you can just
00:48:03
delete it
00:48:04
you can also disable it by
00:48:07
setting the history save style to none
00:48:12
all right we are already over time and i
00:48:15
kind of probably should
00:48:16
vacate the place here if you quit any
00:48:18
more follow-up question you can find me
00:48:20
across the conference floor getting me
00:48:21
to talk about powershell is probably
00:48:22
going to be one of the least difficult
00:48:24
tasks you will be facing here
00:48:27
[Applause]
00:48:36
[Music]
00:48:48
you

标签

PowerShell
Security
Automation
Microsoft
Execution Policy
AppLocker
Constrained Language Mode
Logging
Application Whitelisting
Cybersecurity