Allied Cybersecurity Agencies Advise Against Disabling Popular Tool for Cyberattackers
The Microsoft program, PowerShell, has granted malicious actors remote command and control of victims in hacking schemes. But it can also improve cybersecurity management. This blog discusses how the threat can be mitigated by proper configuration. Read the blog before removing it recommends a joint advisory from the Cybersecurity and Infrastructure Security Agency, National Security Agency and allied counterparts.
Why are cybersecurity agencies advising against disabling PowerShell?
U.S. cybersecurity agencies—including CISA and NSA—along with partners in New Zealand and the United Kingdom, advise against disabling PowerShell because it is both a common attack tool and a valuable security asset.
Their joint advisory notes that many publicly acknowledged intrusions, including ransomware campaigns, have used PowerShell as a post‑exploitation tool for remote command and control. However, the same capabilities that appeal to attackers also help defenders:
- PowerShell supports centralized, remote management across Windows hosts.
- It enables automation of routine security and IT tasks.
- It provides rich logging and telemetry that are useful for forensic analysis after an incident.
The agencies’ position is that the risks associated with PowerShell can be mitigated through proper configuration and access control. Completely removing or disabling it can actually weaken an organization’s security posture by:
- Reducing visibility into attacker activity.
- Limiting the ability to automate security controls and monitoring.
- Forcing admins to rely on less secure or less auditable tools.
In short, the guidance is to secure and monitor PowerShell rather than turn it off, so organizations can use it to strengthen, not weaken, their cybersecurity operations.
How can PowerShell remoting improve security instead of undermining it?
PowerShell remoting can look risky at first glance because it enables remote command execution. The joint advisory explains that, when configured correctly, it can actually help reduce credential exposure and limit lateral movement.
Key points from the guidance:
1. **More secure authentication**
PowerShell remoting uses Windows Remote Management (WinRM) under the hood. WinRM relies on Kerberos or NTLM as default authentication protocols. These protocols do not send actual credentials (like clear‑text passwords) to remote hosts. That reduces the chance that credentials are intercepted or harvested during remote administration.
2. **Support for secure remote operations**
Administrators and cybersecurity analysts can use PowerShell remoting to:
- Run security checks and configuration updates across many machines.
- Collect logs and artifacts for incident response.
- Standardize how scripts and policies are deployed.
This helps reimagine remote management as a controlled, auditable process instead of ad‑hoc access that may be harder to monitor.
3. **Customizable firewall and access rules**
When PowerShell remoting is enabled on private networks, Windows automatically creates a firewall rule to accept incoming connections. The advisory stresses that these rules are fully customizable. Organizations can:
- Restrict connections to specific trusted endpoints and networks.
- Limit which accounts and groups are allowed to use remoting.
- Combine remoting with least‑privilege access policies.
By tightening these controls, organizations can reduce lateral movement opportunities for attackers while still benefiting from efficient, centralized administration.
What practical steps should organizations take to use PowerShell safely?
The advisory from CISA, NSA, and allied agencies emphasizes configuration and governance rather than removal. To use PowerShell safely, organizations can focus on three areas: access control, configuration, and monitoring.
1. **Tighten access and authorization**
- Limit who can use PowerShell remoting to specific admin and security roles.
- Use Kerberos where possible for stronger authentication.
- Apply least‑privilege principles so accounts used for remoting have only the access they need.
2. **Harden network and host configuration**
- Review and customize the Windows Firewall rule that is created when PowerShell remoting is enabled.
- Restrict inbound remoting connections to trusted endpoints, subnets, or management networks.
- Segment networks so that even if one host is compromised, attackers cannot easily move laterally using PowerShell.
3. **Strengthen monitoring and forensic readiness**
- Enable detailed PowerShell logging (script block logging, module logging, and transcription) to capture activity.
- Integrate PowerShell logs into your SIEM or security analytics tools for alerting and investigation.
- Use PowerShell itself to automate security checks, configuration baselines, and incident response playbooks.
By rethinking PowerShell as a managed, monitored security tool rather than just a risk, organizations can improve their overall cybersecurity management while still addressing the real threats associated with its misuse.
Allied Cybersecurity Agencies Advise Against Disabling Popular Tool for Cyberattackers
published by IP Consulting, Inc
At IP Consulting, we know the technology landscape. We provide expert advice and deployment to ensure your organization has the tools you need to succeed. We specialize in communications and security, and we know the best-of-breed solutions inside and out.
Your company needs the best game plan to empower your organization with IT solutions that are right for you. Our approach to technology is to partner with you to listen, understand and educate, then develop a solution road map. We are an exceptional team of engineers, management, and support staff focused on architecting, implementing, and managing core technology platforms. Staying on top of new technology is our full-time job (and our passion) so that it doesn’t have to be yours!
Sign in with LinkedIn