Introduction
In the ever-evolving landscape of cybersecurity, hardening your Windows servers is not just a best practice—it’s a necessity. PowerShell, with its versatility and automation capabilities, becomes our trusty wand in this magical journey of securing our servers. Let’s discuss on 4 PowerShell security techniques that will help achieve our goal.
1.PowerShell Security: Auditing with PowerShell
1.1. Sysmon Configuration with POSH-Sysmon
Sysmon: The Silent Sentinel
Sysmon, developed by Microsoft, is a powerful tool that monitors systems and adds granular events to be tracked even after a reboot.
It’s like having a magical magnifying glass that reveals hidden activities on your server.
Why Use POSH-Sysmon?
POSH-Sysmon is a PowerShell script that simplifies configuring Sysmon.
It allows you to easily create and manage Sysinternals Sysmon v2.0 config files using PowerShell.
With Sysmon, you can track events related to process creation, network connections, registry changes, and more.
Example: Detecting Credential Extraction Attempts
One of the most critical events to track is when a malicious process tries to extract credentials from memory.
Use the ProcessAccess filter for Local Security Authority Subsystem Service (LSASS) to detect such attempts:
Get-WinEvent -LogName 'Microsoft-Windows-Sysmon/Operational' | Where-Object {$_.EventID -eq 10 -and $_.Message -like '*LSASS*'}2. Harden Your Email Fortress: Client Rules Forwarding Block Control
Why Is This Important?
Attackers often exploit Office 365 by setting up silent rules in Outlook to forward sensitive emails to their accounts.
Harden your email security by enabling the Client Rules Forwarding Block control.
PowerShell Action:
Use PowerShell to enable the forwarding block:
Set-OrganizationConfig -RulesQuota 03. PowerShell Security using DSC
What is PowerShell DSC?
Desired State Configuration (DSC) is like a magical spell that ensures your servers maintain a secure configuration.
It allows you to define and enforce the desired state of your Windows servers.
Example: Secure Configuration According to CIS Benchmarks
Use PowerShell DSC to apply secure configurations based on benchmarks like CIS Microsoft Windows Server 2019 or Azure Secure Center Baseline for Windows Server 2016.
Your DSC code becomes your protective charm:
Configuration SecureServer {
Import-DscResource -ModuleName SecurityPolicyDsc
Node 'localhost' {
SecurityPolicy 'Audit - Audit account logon events' {
PolicySetting = 'Success,Failure'
}
# More security settings here...
}
}4. HardeningKitty: The Feline Guardian of Windows Configurations
What’s the Kitty Up To?
HardeningKitty, our feline friend, automatically checks and evaluates Windows system hardening.
It inspects individual applications like Microsoft Office and Microsoft Edge too.
PowerShell Purr-fectness:
Run HardeningKitty to assess your system’s security posture:
.\HardeningKitty.ps1 -AuditSystemConclusion
By wielding PowerShell, we’ve cast spells to audit, secure, and harden our Windows servers. Remember, security is an ongoing quest—keep your spells sharp and your PowerShell scripts even sharper!