Windows Security change affecting PowerShell
January 9, 2019
The recent (1/8/2019) Windows security patch CVE-2019-0543, has introduced a breaking change for a PowerShell remoting scenario. It is a narrowly scoped scenario that should have low impact for most users.
The breaking change only affects local loopback remoting,
PowerShell Constrained Language mode and the Dot-Source Operator
PowerShell works with application control systems, such as AppLocker and Windows Defender Application Control (WDAC), by automatically running in
ConstrainedLanguage mode. ConstrainedLanguage mode restricts some exploitable aspects of PowerShell while still giving you a rich shell to run commands and scripts in.
We just released the DSC Resource Kit!
This release includes updates to 9 DSC resource modules. In the past 6 weeks, 126 pull requests have been merged and 79 issues have been closed, all thanks to our amazing community!
The modules updated in this release are:
ComputerManagementDsc
SharePointDsc
StorageDsc
SqlServerDsc
xActiveDirectory
xExchange
xFailOverCluster
xHyper-V
xWebAdministration
For a detailed list of the resource modules and fixes in this release,
The PowerShell Gallery and PowerShellGet have just been updated to provide new features, performance improvements, and a new modern design.
NOTE: This post has important information for publishers in the “Accounts and publishing” section.
PowerShell Module Exporting Functions in Constrained Language
PowerShell offers a number of ways to expose functions in a script module. But some options have serious performance or security drawbacks. In this blog I describe these issues and provide simple guidance for creating performant and secure script modules.
At the DEFCON security conference last year, we presented the session: "Get $pwnd: Attacking Battle Hardened Windows Server".
In this talk, we went through some of the incredibly powerful ways that administrators can secure their high-value systems (for example, Just Enough Administration) and also dove into some of the mistakes that administrators sometimes make when exposing their PowerShell code to an attacker. The most common form of mistake is script injection, where a script author takes a parameter value (supplied by an attacker) and runs it in a trusted context (such as a function exposed in a Just Enough Administration endpoint).
PowerShell Constrained Language Mode
Update (May 17, 2018)
In addition to the constraints listed in this article, system wide Constrained Language mode now also disables the ScheduledJob module. The ScheduledJob feature uses Dot Net serialization that is vulnerable to deserialization attacks.
[Updated Feb 20th, 2020 with latest guidance]
The security industry is ablaze with news about how PowerShell is being used by both commodity malware and attackers alike. Surely there’s got to be a way to defend yourself against these attacks!
There absolutely is.
Yesterday, at IGNITE 2017, we announced the public availability of PowerShell in Azure Cloud Shell. With the addition of PowerShell in Cloud Shell, alongside Bash in Azure Cloud Shell, you now have the flexibility to choose the shell experience that works best for you.
At BUILD 2017, we announced the preview of Azure Cloud Shell supporting the Bash shell. We are adding PowerShell support to Azure Cloud Shell, which gives you a choice of shell to get work done.
Sign-up today to participate in a limited preview of PowerShell in Azure Cloud Shell.
