How to secure Windows in 2023

Paulo Bazzo

Tips How to Secure Windows and Powershell

The content from this article is based on an learning course from LinkedIn named Powershell:Securing Windows Environment.

Enable poweshell user login using GPO

Enable Policy on GPO

Create a new GPO to enable powershell logging.

[GPO]--> Computer Cofiguration >  Adminstrative Template : > Windows Components > Windows Powershell.
Windows Server Powershell image on GPO

Logging Activity

There are four components that we can turn on loggin for powershell,using regedit or group policy we can view them under event viewer.

  • Audit logs for suspicious activity
  • Transcript
  • Scriptblock
  • Module

Enable(OTS) Over-the-Shoulder transcription

Enable this Regedit by changing its value to 1
Also change the output directory for the file path. 

  Local Machine> Software > Policies > Microsfot > Powershell > Transcription

Module Logging

This will be useful to log when scripts.ps1 are run on the system, the events will be capture on Windows powershell event logs.

Of course you can enable the transcript to be saved in a share folder, or server log. This will make much harder for an attacker to delete their footprint after running their malicious pre.

Run the below conmmand to view the last 15 powershell command logged by the Windows powershell

  Get-WinEvent -Logname "windows Powershell" | Select -first 15 | out-Gridview

Location Obfuscation

An encoded command will be a command often written in Base64 or binary example:

powershell -eNco ZQBjAGgAbwAgACIAVwBpAHoAYQBVyAGQAigA=

There is not build in defense for this kind of attack , however there is a good module you can use to parse powershell logs.

Use the Poweshell module DeepBlueCLI to parse Security,Events and Powershell .evtx files, it will automatically detect the execution of base64 when parsing the logs by using RegEx, and also detect other common security events.

Disable powershell 2.0

Powershell 2.0 is a deprecated version of powerhell, and was left as a component on Windows to make powershell redundant to older applications.

If you’ve developed/running an application with .NET 2.0/3.5 (aka CLR2), and you’re hosting a PowerShell assembly like System.Management.Automation.dll, then you’re using the Windows PowerShell 2.0. Which in this case you will need to have powershell 2.0 enabled and it might be a good idea to keep it on actually.

In order to continue to have your application running, or migrate to .Net 4.6+
To verify if we have it enbabled on our system run the below command. 

Get-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2

On a Windows server run the below

  Get-WindowsFeature PowerShell-V2

Powershell Remote Management

The chances are that you will need this option enabled on most server you deploy, however, if you are not using maybe its a good ide to turn it off.

  • Turn the Services.msc OFF - WIndows Remote management (WS-Management)
  • Add an explicity rule on Firewall to block traffic on 5985 & 5986

The following ports are used for Windows Remote Management WMIC

  • HTTP:5985
  • HTTPS:5986

These are common ports used for management of computers over the network, and they are open by default if you are using network share drivers.

If we need to close these ports we just need to create an inboud rule on FireWall

This is not recommended for the long term as there are many Administration and applications relly on powershell remoting.

Change Default Port for WMIC

One way to add security to WMI is to change the default port number we are using, so intstead of using HTTP:5985 and HTTPS:5986 we use something different like 6005. Run the below command on the local machine to change 

Set-Item wsman:\localhost\listener\listener*\port value 6005

Client runs below to connect

Then from the client computer initiating the connection we need to specify the correct port to use, to find the correct port the server is listening from. 

New-PsSession -Computer [ComputerName] -port 6001
    Enter-PsSession [SessionID]

Windows Defender Capabilities

You do want to keep your server updated, even if its airGapped (offline), to help you achieve that make sure you have a way to send Security Updates to your server, or its pulling updates directly from a relay server inside your DMZ zone.

We also want to enable Real-time protection which is turned off by default, and this will scan files as they are being openned for any sign of malware.

Windows Defender options real-time scan

Control folder access

We can control which folders are not to be messed with, so it will protect files, folders and memory areas.
This is a good protection against Ransomware as these folder will be prevented from being encrypted or altered. If you have an app that needs to read/edit those files you need to allow the app explicitly to have permissions to modify the folders

Ransomware protection on windows defender

Secure Poweshell with AppLocker

When we enable AppLocker, whenever a powershell script is run it will perform a check against appLocker, to make sure it is enabled to run on the target system. If the script is allowed either by its (Hashfile, Publisher,or file/path) then the script will run normally, otherwise the script will be blocked. Below is a diagram on how this is working behind the scenes.
AppLocker can also perform checks against plugins, add-ins, and modules that can run from specific apps.

We could restrict powershell usage using app lock, however,because most of us have scripts that are run either for HealthChecks, or other performacing tasks can sometimes not be very effective if implemented poorly. 

[GPO]-->Application Control Policy > App Locker > Configure Rule Enforcement

We could potentially block all powershell script usage across the whole computer and only allow certain file hashes or Publisher to Run scripts on our network. If we are running a KPI server that can handle certificates to developers this will be great tool to add to our security posture.


With the KPI Server the developer will be able to sign the scripts with a certificate, the certificate the endpoint device will recognize this certificate as trusted and be able to run the script.

Powershell constrain languages models

The below command will restrict what command can be run on powershell, it can run functions, cmd-lets, variables but no script blocks A similar configuration to Language restriction would be the use of JEA(Just Enough Adminstration) 

  $ExecutionContext.SessionState.LanguageMode = "ConstrainedLanguage"

Poweshell language restriction is best applied on users who do not need powershell for their daily work.

(JEA)Just Enough Admministration

JEA, provides a way to limit the commands that can be run by specific users. We can control specific cmd-lets to be used, and parameters that are accepted.
JEA runs on a sandbox powershell remote session and extrict limit what an user can do. Everything is controlled by a language file which is store on the server and act as a configuration file

Powerhell Execution Policy

This is the policy that will control the execution of powershell scripts on your local computer.

  • Restricted
  • AllSigned
  • RemoteSigned
  • Unrestricted

Restricted

No powershell scripts will be run on the system. - Most restricted, most secure.

AllSigned

All scripts need to be signed, by a trusted (CA)Certificate Authority

RemoteSigned

Scripts that are written by you on your local computer will run, but scripts you download from the internet will not run

Unrestricted

All scripts will run freely on your computer. - Most persmissive, least secure.

Summary

There are other methods you can use to secure your endpoint, please be mindful that we are not talking about on this article how to protect your endpoint using 365 Defender or Azure policies or other mechanism, however, I would recommend searching for articles on those as well.


For more information on how to keep your Widows Machine secure, make sure to check the Cyber Samurai every now and then.