PowerShell Security Best Practices Every System Administrator Should Know

User with admin rights runs PowerShell
→ PowerShell has admin rights
→ PowerShell can do ANYTHING an admin can do
→ Malicious scripts can do ANYTHING an admin can do

This is why PowerShell security is critical.

Attacker compromises user account: john@company.com
Attacker has access to john's computer

Scenario 1 (No PowerShell security):
- Attacker opens PowerShell
- Runs: Get-ADUser -Filter * | Set-ADUser -Enabled $false
- Disables all Active Directory users
- Company network down
- No audit trail (no logging)
- Nobody knows what happened

Scenario 2 (With PowerShell security):
- Attacker opens PowerShell
- Execution policy blocks: "Cannot be loaded because running scripts is disabled"
- Script logging shows: Attempt to bypass execution policy
- Alert sent to security team
- Attack blocked
- Full audit trail recorded

Level 1 (Most Restrictive):
Restricted
- Scripts cannot run at all
- Only interactive commands work
- Best for: Locked-down systems

Level 2 (Balanced):
AllSigned
- Only signed scripts can run
- Requires code signing certificate
- Best for: Enterprise environments

Level 3 (More Permissive):
RemoteSigned
- Local scripts run freely
- Downloaded scripts must be signed
- Best for: Most organizations

Level 4 (Least Restrictive):
Unrestricted
- All scripts run
- Warning for downloaded scripts
- Best for: Testing only (NEVER production!)

Admin sets execution policy to Unrestricted for convenience
→ Malicious scripts can run
→ No protection whatsoever
→ This is how ransomware spreads

Group Policy Editor → Computer Configuration
→ Administrative Templates
→ Windows Components
→ Windows PowerShell
→ Turn on Script Execution
→ Set to "Allow local scripts and remote signed scripts" (RemoteSigned)

# On Domain Controller
New-GPO -Name "PowerShell Security Policy" -Comment "Enforce secure execution"
Set-GPRegistryValue -Name "PowerShell Security Policy" `
    -Key "HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell" `
    -ValueName "ExecutionPolicy" -Value "RemoteSigned" -Type String

# Link to domain
New-GPLink -Name "PowerShell Security Policy" -Target "dc=domain,dc=com"

# Force update
gpupdate /force

# Set execution policy for current user
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser -Force

# Set for all users (requires admin)
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope LocalMachine -Force

# Verify
Get-ExecutionPolicy -List

        Scope ExecutionPolicy
        ----- ---------------
MachinePolicy       RemoteSigned
   UserPolicy       RemoteSigned
      Process       RemoteSigned
  CurrentUser       RemoteSigned
 LocalMachine       RemoteSigned

Attack timeline:

2:00 PM: Attacker runs malicious script
2:01 PM: Script executes (bypassed execution policy)
2:02 PM: Script modifies files
2:03 PM: Script creates backdoor account
2:04 PM: Security team gets alert from logs

Without logging: Nobody notices until weeks later
With logging: Caught in 4 minutes

# Enable Module Logging for all modules
$path = "HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging"
if (!(Test-Path $path)) {
    New-Item -Path $path -Force | Out-Null
}

Set-ItemProperty -Path $path -Name "EnableModuleLogging" -Value 1
Set-ItemProperty -Path $path -Name "*" -Value "*"

Write-Host "Module logging enabled"

$path = "HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging"
if (!(Test-Path $path)) {
    New-Item -Path $path -Force | Out-Null
}

Set-ItemProperty -Path $path -Name "EnableScriptBlockLogging" -Value 1

Write-Host "Script block logging enabled"

$path = "HKLM:\Software\Policies\Microsoft\Windows\PowerShell\Transcription"
if (!(Test-Path $path)) {
    New-Item -Path $path -Force | Out-Null
}

Set-ItemProperty -Path $path -Name "EnableTranscripting" -Value 1
Set-ItemProperty -Path $path -Name "OutputDirectory" -Value "C:\Transcripts"
Set-ItemProperty -Path $path -Name "IncludeInvocationHeader" -Value 1

# Create transcript directory
if (!(Test-Path C:\Transcripts)) {
    New-Item -ItemType Directory -Path C:\Transcripts -Force | Out-Null
}

Write-Host "Transcription enabled. Logs: C:\Transcripts"

Event Viewer
→ Windows Logs
→ Application
→ Filter by Source: "PowerShell"

Look for:
- Event ID 400: PowerShell started
- Event ID 403: Engine stopped
- Event ID 800+: Script execution details

# Get recent PowerShell events
Get-EventLog -LogName Application -Source PowerShell -Newest 100 | 
    Select-Object TimeGenerated, Message | 
    Format-Table -AutoSize

# Export to CSV for analysis
Get-EventLog -LogName Application -Source PowerShell -Newest 1000 | 
    Export-Csv -Path "C:\Reports\PowerShell-Events.csv" -NoTypeInformation

# Password in plain text!
$username = "admin@domain.com"
$password = "MyPassword123!"
$cred = New-Object System.Management.Automation.PSCredential($username, 
    (ConvertTo-SecureString -String $password -AsPlainText -Force))

# Now anyone who reads the script knows the password!

# Store credential securely (one-time setup)
$username = "admin@domain.com"
$cred = Get-Credential -Message "Enter credentials to store"
$cred.Password | ConvertFrom-SecureString | 
    Set-Content "C:\Secure\admin-cred.txt"

# Retrieve credential in script (safe)
$credPath = "C:\Secure\admin-cred.txt"
$username = "admin@domain.com"
$password = Get-Content $credPath | ConvertTo-SecureString
$cred = New-Object System.Management.Automation.PSCredential($username, $password)

# Use credential securely
Get-ADUser -Credential $cred -Filter * | Export-Csv "C:\Reports\users.csv"

# Create MSA in Active Directory
New-ADServiceAccount -Name "ScriptRunner" -DNSHostName "scriptrunner.domain.com"

# Install on server
Install-ADServiceAccount -Identity "ScriptRunner"

# Use in script (no password needed!)
$cred = New-Object System.Management.Automation.PSCredential(
    "domain\ScriptRunner$", 
    (Read-Host -AsSecureString)
)

# Store in environment variables (CI/CD pipeline)
$apiKey = $env:API_KEY

# Or use Azure Key Vault
$secret = Get-AzKeyVaultSecret -VaultName "MyVault" -Name "api-key"
$apiKey = $secret.SecretValueText

# Enable WinRM with HTTPS only (not HTTP!)
Enable-PSRemoting -Force

# Configure to use HTTPS
$thumbprint = (Get-ChildItem Cert:\LocalMachine\My | 
    Where-Object {$_.Subject -like "*server.domain.com*"}).Thumbprint

Set-Item -Path WSMan:\localhost\Listener\*\Transport\HTTPS\Enabled -Value $true
Set-Item -Path WSMan:\localhost\Listener\*\Transport\HTTP\Enabled -Value $false

# Require authentication
Set-Item -Path WSMan:\localhost\Service\Auth\Basic -Value $false
Set-Item -Path WSMan:\localhost\Service\Auth\Kerberos -Value $true

Write-Host "WinRM secured with HTTPS + Kerberos"

# Create remote access group
New-ADGroup -Name "PowerShell-RemoteAccess" -GroupScope Global `
    -Description "Users allowed remote PowerShell access"

# Configure in session configuration
Register-PSSessionConfiguration -Name RestrictedShell -ProcessName powershell `
    -RunAsCredential (Get-Credential) -Force

# Restrict to group
Set-PSSessionConfiguration -Name RestrictedShell -ShowSecurityDescriptorUI

# Create approved scripts folder
New-Item -ItemType Directory -Path "C:\ApprovedScripts" -Force

# Only allow signed scripts
Set-ExecutionPolicy -ExecutionPolicy AllSigned -Scope Process

# Copy approved scripts to folder
Copy-Item "C:\Scripts\Update-Users.ps1" -Destination "C:\ApprovedScripts\"

# Remote users can only run from this folder
Invoke-Command -ComputerName server.domain.com `
    -ScriptBlock { & "C:\ApprovedScripts\Update-Users.ps1" }

# At top of every script
#Requires -Version 5.1
#Requires -RunAsAdministrator
#Requires -Modules ActiveDirectory

# This ensures:
# - Script won't run on older PowerShell
# - Script requires admin rights
# - Required modules are available

# BAD: Trust user input
$username = Read-Host "Enter username"
Disable-ADAccount -Identity $username  # What if they enter: john; Remove-ADUser -Identity *

# GOOD: Validate input
$username = Read-Host "Enter username"
if (-not ($username -match '^[a-zA-Z0-9._-]+$')) {
    Write-Error "Invalid username format"
    exit 1
}
Disable-ADAccount -Identity $username

# BAD: Ignore errors
$users = Get-ADUser -Filter *
$users | Disable-ADAccount

# GOOD: Handle errors securely
$users = Get-ADUser -Filter * -ErrorAction Stop
$users | Disable-ADAccount -ErrorAction Continue -ErrorVariable disableErrors

if ($disableErrors) {
    Write-Error "Errors occurred: $disableErrors"
    exit 1
}

# Audit-PowerShellSecurity.ps1
# Checks PowerShell security settings

Write-Host "PowerShell Security Audit" -ForegroundColor Green

# 1. Check Execution Policy
$execPolicy = Get-ExecutionPolicy
Write-Host "Execution Policy: $execPolicy"
if ($execPolicy -eq "Unrestricted") {
    Write-Host "⚠️  WARNING: Execution policy is Unrestricted!" -ForegroundColor Red
}

# 2. Check if logging is enabled
$logPath = "HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging"
$logEnabled = (Get-ItemProperty -Path $logPath -Name EnableScriptBlockLogging -ErrorAction SilentlyContinue).EnableScriptBlockLogging
Write-Host "Script Logging: $(if ($logEnabled) { 'Enabled' } else { 'Disabled' })"

# 3. Check WinRM security
$winrmSSL = (Get-ChildItem -Path WSMan:\localhost\Listener | 
    Where-Object {$_.Name -like "*https*"}).Count
Write-Host "WinRM HTTPS: $(if ($winrmSSL -gt 0) { 'Configured' } else { 'Not Configured' })"

# 4. Check event log size
$appLog = Get-EventLog -LogName Application
$logSize = $appLog | Measure-Object -Property "Length" -Sum
Write-Host "Event Log Size: $([math]::Round($logSize.Sum / 1MB)) MB"

# 5. Review recent PowerShell events
Write-Host "`nRecent PowerShell Activity:"
Get-EventLog -LogName Application -Source PowerShell -Newest 10 | 
    Select-Object TimeGenerated, EventID | 
    Format-Table -AutoSize

Timeline of Attack:

2:15 PM: Attacker gains access to admin account
2:16 PM: Attacker opens PowerShell
2:17 PM: Attacker tries to run malicious script
2:18 PM: Execution policy blocks script
2:19 PM: Attacker tries to disable execution policy
2:20 PM: PowerShell logging captures attempt
2:21 PM: SIEM alert triggered

2:22 PM: Security team notified
2:23 PM: Account locked
2:24 PM: Investigation begins

3:00 PM: Incident contained
3:30 PM: Root cause identified (leaked credentials)
4:00 PM: Credentials reset, investigation complete

Result:
✓ Attack blocked within 10 minutes
✓ Full audit trail of attempted attack
✓ Root cause identified
✓ Threat prevented from spreading

Without logging: Attack could have run for weeks undetected
Cost of attack: $0 (prevented)
Cost of proper logging: <$1,000/year
ROI: Infinite

☐ Set execution policy to RemoteSigned
☐ Enable script block logging
☐ Enable transcription
☐ Configure WinRM with HTTPS
☐ Test logging is working

☐ Review recent PowerShell events
☐ Remove any hard-coded credentials
☐ Audit all PowerShell scripts
☐ Test remote access security
☐ Create approved scripts folder

☐ Deploy Group Policy for execution policy
☐ Deploy Group Policy for logging
☐ Train team on secure scripting
☐ Create audit scripts
☐ Schedule monthly security audits

☐ Monthly: Run security audit
☐ Quarterly: Review PowerShell events for anomalies
☐ Quarterly: Test incident response procedures
☐ Annually: Update security policies