I've been tasked with limiting access to PowerShell in my organization. I've heard using a Group Policy Object (GPO) along with AppLocker might help, but I've also been warned that AppLocker can be bypassed if users rename the executable or run it from different locations. Some suggestions include using an XDR solution, though I'm not using Intune. I would prefer to restrict PowerShell access on specific servers, like Exchange, as well.
6 Answers
Isn't it true that anything important you do in PowerShell requires admin permissions anyway? You could look into setting policies that remove local admin rights—this could solve a lot of potential issues. There are GPOs to limit CMD access, but PowerShell might require some additional research to implement effectively.
Best practice is to focus on user permissions instead. That way, you can prevent users from accessing administrative features, thus applying restrictions on all tools, including PowerShell. Just make it clear that PowerShell operations are reserved for admin users only.
AppLocker can work well if configured correctly. You'd want to whitelist paths like System32WindowsPowerShell and block everything else. Sure, users can rename the executable, but they would need admin rights to copy it first. For Exchange, just make sure to remove users from specific management roles to stop them from using PowerShell commands altogether. Generally, if someone's not a local admin, PowerShell doesn't pose as much risk since many harmful actions require elevated permissions anyway.
Consider using tools like ThreatLocker which provide ring-fencing capabilities. This allows you to restrict PowerShell access to specific folders, IP addresses, and system processes. They also have Zero Trust App Control to prevent issues like renamed executables from being a threat.
Honestly, trying to restrict access to PowerShell feels a bit like putting the cart before the horse. If someone really wants to use PowerShell, they'll find a way around restrictions. Are you also thinking of blocking command prompt access? If you're not blocking that, then restricting PowerShell is pretty futile too.
Microsoft's guidance suggests that just blocking PowerShell isn't a solid security measure. Instead, focus on restricting what users can do if they have PowerShell access. If you prevent them from performing the actions you're worried about, it doesn't matter if they can use PowerShell or not. It's all about limiting their actual capabilities rather than just the tools at their disposal.
Right on! If they're not admin, their ability to cause harm is pretty limited in any case.
Exactly! Blocking the tool doesn't stop users from doing what they want. Plus, there are background processes using PowerShell all the time.