NSA, CISA say: Don't block PowerShell, here's what to do instead

PowerShell is often abused by attackers but defenders should not switch off the Windows command-line tool, warn cybersecurity agencies.
Written by Liam Tung, Contributing Writer
Worried businessman looking at computer screen at his workplace in office
Image: Getty Images/iStockphoto

Cybersecurity authorities from the US, the UK, and New Zealand have advised businesses and government agencies to properly configure Microsoft's built-in Windows command-line tool, PowerShell – but not to remove it.    

Defenders shouldn't disable PowerShell, a scripting language, because it is a useful command-line interface for Windows that can help with forensics, incident response and automating desktop tasksaccording to joint advice from the US spy service the National Security Agency (NSA), the US Cybersecurity and Infrastructure Security Agency (CISA), and the New Zealand and UK national cybersecurity centres. 

It also lets admins automate security tasks on Microsoft's Azure cloud platform. Users can, for example, write PowerShell commands to manage Microsoft's Defender antivirus on Windows 10 and Windows 11.

SEE: Cloud computing dominates. But security is now the biggest challenge

But PowerShell's flexibility has also made it amenable to attackers who've used it to remotely compromise Windows devices and even Linux systems. 

So, what should defenders do? Remove PowerShell? Block it? Or just configure it? 

"Cybersecurity authorities from the United States, New Zealand, and the United Kingdom recommend proper configuration and monitoring of PowerShell, as opposed to removing or disabling PowerShell entirely," the agencies say.

"This will provide benefits from the security capabilities PowerShell can enable while reducing the likelihood of malicious actors using it undetected after gaining access into victim networks."

PowerShell's extensibility, and the fact that it ships with Windows 10 and 11, gives attackers a means to abuse the tool. This typically happens after an attacker has gained access to a victim's network through Windows or other software vulnerabilities. 

But PowerShell attacks have caused some admins to remove it from devices and this is a bad idea, according to the NSA.  

"This has prompted some net defenders to disable or remove the Windows tool. NSA and its partners advise against doing so," the NSA said

As the US Department of Defense notes, blocking PowerShell hinders defensive capabilities that current versions of PowerShell can provide, and prevents components of Windows from running properly.

The advice aligns with Microsoft's guidance on the use of PowerShell and tips it's given to admins to protect themselves against PowerShell attacks. Microsoft in 2020 acknowledged that "PowerShell is being used by both commodity malware and attackers alike". 

"PowerShell is – by far – the most securable and security-transparent shell, scripting language, or programming language available," Microsoft said in a 2020 blogpost

New Zealand National Cyber Security Centre sums up the benefits of using PowerShell: 

  • Credential protection during PowerShell remoting
  • Network protection of PowerShell remoting
  • Anti-malware Scan Interface (AMSI) integration
  • Constrained PowerShell with Application Control

PowerShell also enables remote admin capabilities that use Kerberos or New Technology LAN Manager (NTLM) protocols. Kerberos is the main framework for on-premises Active Directory (AD), Microsoft's identity service, and is the successor to NTLM, which was implemented in Windows 2000. 

Microsoft released PowerShell 7 in 2020, but version 5.1 ships with Windows 10 and above. The latest version is 7.2, which includes new security measures like prevention, detection and authentication.

The authorities recommend "explicitly disabling and uninstalling" PowerShell 5.1, but they make no recommendations for using PowerShell versions with Linux and macOS.  

SEE: Why cloud security matters and why you can't ignore it

They also offer advice for network protection, AMSI, and configuring AppLocker/Windows Defender Application Control (WDAC) for configuring PowerShell to prevent attackers gaining full control over PowerShell sessions. 

The agencies highlight features available in the latest versions of PowerShell, such as deep script block logging, over-the-shoulder transcription, authentication procedures, and remote access over Secure Shell (SSH)  

"PowerShell is essential to secure the Windows operating system, especially since newer versions have resolved previous limitations and concerns through updates and enhancements," the NSA says. 

"Removing or improperly restricting PowerShell would prevent administrators and defenders from utilizing PowerShell to assist with system maintenance, forensics, automation, and security. PowerShell, along with its administrative abilities and security measures, should be managed properly and adopted."

Editorial standards