Living off the land is not the title of a gardening book. It\u2019s the goal of attackers going after your network. Rather than installing malicious software on your network that antivirus software might flag, attackers use the code already there to launch attacks. The tools that you use to monitor, maintain and access your network are often the same code that attackers use to attack your network. PowerShell is a prime example.The U.S. National Security Agency (NSA), U.S. Cybersecurity and Infrastructure Security Agency (CISA), New Zealand\u2019s NCSC, and the UK NCSC recently released a document called Keeping PowerShell: Security Measures to Use and Embrace. This guidance recommends keeping PowerShell in your network rather than blocking but offers the following advice to keep it secure.Use PowerShell remoting only where neededFirst, decide where you want to use PowerShell remoting and where you don\u2019t want it to be functional. Too many companies do not take the time to use the technology they have to control communication. The Windows firewall can be set with Group Policy or Intune to block PowerShell remoting.First review what access rights you have set by using the following command: Get-PSSessionConfiguration | Format-Table -Property Name, PermissionYou can disable PowerShell remoting by using the following command: Disable-PSRemoting -ForceIf you enable PowerShell remoting through Enable-PSRemoting, it automatically opens port 5895 in Windows Firewall. To disable the firewall exceptions, use the Windows Firewall with Advanced Security MMC snap-in (type "firewall" in the Start menu) and search for \u201cWindows Remote Management (HTTP-In) rules\u201d. There is one rule for the network profile domain (private) and one for public. Select \u201cInbound Rules\u201d, then right-click on each rule and select \u201cDisable\u201d. You may also wish to set this rule to ensure that attackers can\u2019t silently enable it. You can also enable \u201cFirewall auditing\u201d so that you are alerted when a firewall rule changes from the values you have set. \u00a0Use antivirus software with Antimalware Scan InterfaceReview what antivirus you are using and if your antivirus is using the Windows Antimalware Scan Interface (AMSI) integration. This supports scanning of in-memory and dynamic file contents and is supported by AMSI-aware antivirus products such as Windows Defender, McAfee and Symantec. I recommend investigating if you can justify the licensing of Defender for Endpoint. This enhanced endpoint security platform allows you to prevent, detect, investigate and respond to advanced threats.Use AppLocker or WDACReview if you can license and deploy AppLocker or Windows Defender Application Control (WDAC) to better protect you. Enabling AppLocker script enforcement blocks PowerShell commands in a script but still allows the commands interactively into the PowerShell command console. It\u2019s recommended to configure AppLocker or WDAC to block actions on a Windows host. This causes PowerShell to operate in a Constrained Language mode.To determine what language mode PowerShell is using, enter the following command: $ExecutionContext.SessionState.LanguageModeIf it\u2019s set for full language, you can decide to enable constrained delegation instead. Enter the following command:$ExecutionContext.SessionState.LanguageMode = "ConstrainedLanguage"This stays in effect only for the current session. To maintain ConstrainedLanguage, use something like Device Guard User Mode Code Integrity to maintain the session settings.Enable logging for PowerShellLogging not in both the operating system and for PowerShell helps ensure that you can review your systems for malicious activity. Enable logging and deep scriptblock logging, module logging, and over-the-shoulder transcription. The relevant Group Policy object (GPO) setting is called \u201cTurn on PowerShell Script Block Logging\u201d. To find it, make these selections in order:\u201cPolicies\u201d\u201cAdministrative Templates\u201d\u201cWindows Components\u201d\u201cWindows PowerShell\u201dThe logging takes place in the application log, which you find with this selection process:\u201cMicrosoft\u201d\u201cWindows\u201d\u201cPowerShell\u201d\u201cOperational\u201dThe commands are recorded under event ID 4104. If you also record start and stop events, these will appear under the IDs 4105 and 4106. Even if you have Windows 7 machines, you can install PowerShell 5, which enables the additional logging.Secure remote connectionsMost networks have mixtures of Windows and other platforms. Having secure remote connections helps to ensure that you keep secure between both Windows and Linux servers. PowerShell 7 allows remote connections over SSH (Secure Shell), which allows for public key authentication. To enable OpenSSH on Windows systems, run the following commands from an elevated console session:Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0To enable the SSH server service to start automatically, set the following service:Set-Service -Name sshd -StartupType 'Automatic'Start-Service -Name sshdFinally, use the remoting tools to simplify configuring SSH based remoting. The following commands will install the module from the PowerShell Gallery.Install-Module -Name Microsoft.PowerShell.RemotingTools\u00a0\u00a0\u00a0Import-Module -Name Microsoft.PowerShell.RemotingToolsOn a sample Ubuntu workstation, open a terminal session and install OpenSSH:sudo apt install openssh-clientsudo apt install openssh-serverNext, start an elevated pwsh session and install RemotingTools module and run the Enable-SSHRemoting command:Install-Module -Name Microsoft.PowerShell.RemotingToolsEnable-SSHRemoting -Verbosesudo service ssh restartStandardize on PowerShell 7One key recommendation is to upgrade PowerShell. Newer PowerShell versions offer more logging and security enhancements. It\u2019s recommended to disable and uninstall the deprecated PowerShell Version 2,0) on Windows 10 and other versions. You should also review the use of older Windows operating systems and their impact on the risk of your network.If you standardize on Windows 10 or Windows 11 and PowerShell 7, you can use AMSI, Constrained Language mode, Constrained Language mode with Applocker and WDAC, deep script block logging, over-the-shoulder transcription logging, module logging, and SSH remoting. The most recent release of PowerShell is version 7.2.5. A preview release of 7.3.0 was released on June 22, 2022. Once you standardize on PowerShell 7 you can then remove or disable PowerShell 2 to better secure your network. In a console window execute the following command:\u00a0Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2RootThis command disables PowerShell 2.0 immediately. To reenable PowerShell 2.0, replace disable with enable:Enable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2RootYou can also disable PowerShell 2.0 in the Windows features options.