问题
We have PowerShell installed on our RDS environment. It's currently being used for tasks like remote management and App-V virtual application publishing. To my understanding, it's fairly easy to bypass a restricted execution policy.
I can't however find any useful information on preventing bypassing the execution policy (or making it a lot harder). I was thinking about using file screening (AppLocker) for blocking PowerShell files, but I guess then attackers could just use a VBA script attached to an Microsoft Office file to execute a PowerShell script.
For now we focus on monitoring, but I would like more attention on preventing.
回答1:
Actually, there are ways to prevent misuse of PowerShell (and making bypassing the execution policy quite useless):
- Configure AppLocker: also lockdown scripts
- Configure PowerShell to use Constrained Mode so .NET code can't be executed
- For your own scripts that should support .NET code you can sign the scripts with a code signers certificate (these will be allowed to run with constrained mode + AppLocker)
Besides that, configuring logging of all PowerShell commands and sending them through a central location (so an IDS can monitor this) is also a good practice.
See Detecting Offensive PowerShell Attack Tools for more detailed information about how to achieve this.
回答2:
What you are trying to achieve is pointless. There are dozens of ways to bypass execution policy. In fact, it is not designed for security reasons.
- Install PS 5+ everywhere and implement script block logging. You can place all logs in a shared directory somewhere to analyze\ingest them.
- Remove PS2 everywhere
- Block macros from files from the web
- Use application whitelisting
This should be a good place to start.
PS: You can also monitor event 400, to detect bypasses to PS2 (which is something you don't want to be on your users' machines) when something reinstalls PS2 back.
来源:https://stackoverflow.com/questions/42758425/prevent-bypassing-powershell-execution-policy