PowerShell replaces the old CMD command shell on Microsoft Windows PowerShell includes a new scripting language and remote management framework, including an encrypted channel for remote command execution.
PowerShell is installed by default on Windows 7, Server 2008, and later.
Administrators who ignore PowerShell are placing their long-term relevance at risk. Hackers are using PowerShell too because of the amazing things it can do. Incident responders and forensics experts need to be aware of PowerShell exploitation techniques.
Everything from Microsoft that requires automation is moving towards PowerShell. Even some graphical administration tools are just wrappers for PowerShell. Enforcing security across many systems requires automation and scalability, which PowerShell is specifically designed to provide; for example, a PowerShell script could execute a command across thousands of computers, collect and sort the output from each, then reproduce an HTML report, all with only a few lines of code. Active Directory Group Policy can also be used to run PowerShell scripts across thousands of domain-joined computers.
The PowerShell scripting language is designed for administrators, not only for professional developers, so it is relatively easy to learn. Think of it as very simplified and streamlined C#. Quick one-line scripts can actually do a lot of work. There are tons of examples on the Internet.
Any new security hardening scripts for Windows should be written in PowerShell. Going forward, Microsoft will soon start releasing security templates for Windows in the form of PowerShell scripts using a feature called “Desired State Configuration” (DSC). The old INF and XML security templates for Windows are being replaced by DSC templates. DSC templates will be used for system configuration and application installation too on both servers and clients, so Desired State Configuration management is not just only (or even primarily) for the sake of security.
Learn how to secure windows with PowerShell by enrolling in SEC505 with Jason Fossen at SANS Institute, the most trusted name in cyber security.
By:
Jason Fossen
Fellow at SANS Institute
& Author of the Course: SEC505: Securing Windows with PowerShell and the Critical Security Controls
