40555: Microsoft Security Workshop: Implementing PowerShell Security Best Practices (40555)

1. PowerShell Fundamentals
   Introduced in 2006, Windows PowerShell is a scripting language, a command-line shell, and a scripting platform built on Microsoft .NET Framework. Despite the scripting designation, Windows PowerShell features a range of characteristics common for programming languages, including its object-oriented nature, extensibility, C#-like syntax, and the ability to interact directly with .NET classes, their properties, and methods. The primary objective of Windows PowerShell was to help IT professionals and power users control and automate the administration of the Windows operating system and applications that run on Windows. With the introduction of .NET Core in 2016, Microsoft extended the scope of PowerShell to other operating system platforms, leading to an open-source, GitHub-hosted project, named PowerShell Core. You can use PowerShell Core on macOS 10.12, a variety of 64-bit Linux distributions, in addition to the 32-bit and 64-bit Windows operating system, including Windows 10 running on Advanced Reduced Instruction Set Computing Machine (ARM) devices.
   1. Overview of Windows PowerShell
   2. PowerShell editions and versions
   3. Running PowerShell
   4. On completing this lesson, you will have learned to:
      • Provide an overview of Windows PowerShell
      • Describe PowerShell editions and versions
      • Install and use Windows PowerShell and PowerShell Core
2. PowerShell Operational Security
   To take advantage of the benefits that Windows PowerShell has to offer, while at the same time, minimize security-related risks, it is essential to understand the primary aspects of Windows PowerShell operational security. In this lesson, you will learn about enhancing operating system security by leveraging built-in Windows PowerShell features and technologies that are part of the Windows PowerShell operational environment. Another aspect that is critical to consider in the context of this lesson is the role of Windows PowerShell in security exploits. According to empirical data, in majority of cases, Windows PowerShell is used as a post-exploitation tool. This implies that, at the point where a Windows PowerShell session is launched, an attacker already gained access to the security context in which the target system or the target user operates. This is the type of scenario that this lesson will focus on. In this case, Windows PowerShell serves as powerful and extremely flexible engine for executing arbitrary tasks on the local and remote computers, which, incidentally, is the same reason that made Windows PowerShell extremely popular among system administrators.
   1. Managing Local Script Execution
   2. Managing remote execution capabilities of Windows PowerShell
   3. Managing remote execution capabilities of PowerShell Core
   4. Language Mode
   5. On completing this lesson, you will have learned to:
      • Manage execution of local PowerShell scripts
      • Manage remote execution of Windows PowerShell
      • Manage remote execution of PowerShell Core
      • Describe security implications of using Constrained Language Mode
3. Implementing PowerShell-based Security
   In the previous lesson, you learned about a number of security-related features built into Windows PowerShell and technologies that are part of the Windows PowerShell operational environment that help you with their enforcement. The purpose of this lesson is to present the most common and effective methods of leveraging Windows PowerShell to enhance operating system security. These methods include: > Protecting from unintended configuration changes by relying on PowerShell Desired State Configuration (DSC) > Implementing the principle of least privilege in remote administration scenarios by using Just Enough Administration (JEA) > Tracking and auditing events that might indicate exploit attempts by using Windows PowerShell logging
   1. Windows PowerShell DSC
   2. Just Enough Administration (JEA)
   3. Windows PowerShell Auditing and Logging
   4. On completing this lesson, you will have learned to:
      • Describe the architecture and components of Windows PowerShell DSC
      • Implement JEA
      • Recommend Windows PowerShell auditing and logging configuration
4. Windows PowerShell-based Exploits and their Mitigation
   Organizations cannot comprehensively identify gaps in security detection and response by solely focusing on breach prevention strategies. Understanding how to not only protect but also to detect and respond to breaches is just as important "if not more so" than taking action to prevent a breach from occurring in the first place. By planning for the worst-case scenarios through Red Teaming (real-world attack and penetration), organizations can develop the necessary capabilities to detect attempted exploits and significantly improve responses associated with security breaches.
   1. Windows PowerShell-based attacks
   2. Windows PowerShell-based security tools
   3. Summary of Windows PowerShell security-related technologies
   4. On completing this lesson, you will have learned to:
      • Provide examples of Windows PowerShell-based attacks
      • Use Windows PowerShell-based security tools
      • Provide an overview of Windows PowerShell-based security-related technologies
      • Implement Windows PowerShell logging by using Desired State Configuration (DSC)
      • Identify and mitigate Windows PowerShell-based exploits
      • Implement Just Enough Administration (JEA)

Course Labs

1. Implementing Windows PowerShell Security