If you are an average computer user, it’s likely you’ve never even heard of PowerShell. However, if you’re an admin, a more tech savvy user, or a nefarious individual who wants to hack into other people’s systems, PowerShell scripting can be a powerful office tool. So what is it?
What is PowerShell?
Using PowerShell scripting gives you enormous control over your machine and services. It’s a task based command-line scripting language that helps admins and users automate the tasks that manage operating systems and processes. It was initially a Windows-only tool, but is now both open source and cross platform.
Breaking down what PowerShell does
So what does that mean? Let’s break it down.
Some of you may be familiar with the command prompt tool on your machine, from either using it or just seeing it pop up sometimes after start up. It looks like a black box with a C: prompt.
In here, you can perform tasks directly through the operating system’s command line interface instead of going through the more user-friendly GUI-based menu. This can save time and allow you to do “extra” things that you wouldn’t be able to otherwise.
[On-demand webinar] How to find vulnerabilities in your Office 365 tenant before attackers do
For example, if you happened to know the IP address of another computer on your local network, and had remote administrator access, you could enter a command on your machine via command prompt to shut down their machine remotely (definitely not a good way to make friends in the workplace).
PowerShell is the modern iteration of the Windows command prompt. Originally just Windows-specific, it’s since become available for use on other operating systems (like MacOS and Linux). PowerShell is now freely available on the internet so that other users can make changes to it (i.e., it’s now open source). It gives users and access a more direct line to make changes to the operating system and control the software. It is both powerful and efficient, and designed from the ground-up specifically for system administrators. I think you can see where this is going…?
Why is PowerShell so attractive to cybercriminals?
Giving the wrong person PowerShell access, and they could wreak all sorts of havoc.
Someone with PowerShell access has an incredible wealth of options of what to do within your network. They could change settings to make access easier for them or just more annoying for your employees. They could even extract sensitive data to sell to others or use for their own gain in other ways. There are obviously other ways to get to this functionality, so why is PowerShell so popular among modern hackers? Well:
- PowerShell is in Windows operating systems starting from Windows XP onward. And, as stated above, it’s now open-source and a cross-platform framework. It’s basically found in a lot of places.
- PowerShell has legitimate uses for admins and is, in fact, a real tool for IT admin tasks. This leads to it being very hard to figure out when it’s used for valid reasons and when it’s not.
- PowerShell scripts are easy to write and run for the professionally technically-minded.
- It can virtually access a considerable range of Application Program Interfaces (APIs). This is by design because it’s useful, but, sadly, it can be (and is) easily abused by attackers.
PowerShell is a very powerful tool whose malicious use can be easily hidden. You want to protect its access and only grant it to those you trust.
The Office Protect setting that will help you
Obviously, PowerShell access in the wrong hands is a dangerous thing and you want to work to prevent that, and its potential consequences, at all costs. But how?
Fortunately, Office Protect is here to help. With its setting, “Exchange Scripting (PowerShell) Access”, you can decide exactly who gets access to this powerful tool. So how do you do this? And what’s the right decision?
If you go to your Office Protect dashboard and access settings, you will see the menu for this setting, with three possible options.
- Remove from All Users – This is obviously the most secure option, as it removes access from everyone. However, removing access from administrators may limit your use of automation tools, and inhibit them from performing some necessary job functions.
- Remove from Non-Admin – Recommended best practice – this removes access from all users who do not need PowerShell access for their daily email usage. However, you want to make sure you have good practices around administrator rights and privileges before doing this.
- Grant to all Users – The least secure option, this grants PowerShell access to all users, regardless of role or need.
Essentially, the setting prevents Exchange Online from being managed (remotely or otherwise) via PowerShell scripts by unauthorised and unintended users. It closes off an avenue for hackers to access, exfiltrate, or make other modifications to an Office 365 tenant via Exchange Online, greatly improving the tenant’s security posture.
As a final security measure, if Office Protect detects any users not matching your configuration (such as a non-admin user who has suddenly been granted access), it will change the user setting to reflect what you selected in Office Protect. This is good for catching any rogue users who have found a way to grant themselves access.
Within these settings you will also see the user impact (medium) and security impact (medium).
PowerShell access is important, and regulating it is a must for good security practices. See what else Office Protect can do for you and your company today.