Sunteți pe pagina 1din 3


Date stamp: 19-02-2017

Time stamp: 10-58-24

Share On Facebook
Tweet It

PowerShell is an advanced administration tool for Windows. Some end users with a
dvanced knowledge or those who have worked with earlier versions of Windows may
be more familiar with the humble command prompt via which you can run commands a
nd scripts. PowerShell is similar but a lot more advanced in terms of functional
PowerShell gives you advanced functionalities for configuration management and t
ask automation. The tool includes both a scripting language and a command line s
hell. It was built on the .Net Framework. PowerShell gives you an Integrated Scr
ipting Environment (ISE), which gives you a GUI where you can get all your scrip
ting done.
PowerShell has been the leading administration tool for Windows for more than a
decade. But are you taking advantage of this tool to the fullest? Here are some
essential PowerShell security tips for Windows administrators.
Clean up admin group
Having multiple users on a local administration group creates one of the biggest
and most common loopholes for a hacker to break in to. This script gives you th
e ability to remove the names of multiple users from the local administrator gro
ups of multiple computers in one shot. It takes in a text file with the names of
users to be removed and another text file with the names of the machines on whi
ch this is to be done.
All you need to modify in the script before running it is to a) replace the name
present in the variable $Computernames with the name of the text file containin
g the machine names, and b) replace the name present in the variable $Admins wit
h the name of the text file containing the user names.
Harden SAM Access
Once hackers are able to breach a system through a particular point of vulnerabi
lity, they use compromised local and domain credentials to move around their vic
tim network. One way to get all local and domain users along with group membersh
ips to map possible routes in Windows 10 is to question the Security Account Man
ager remotely using the SAMR protocol.
While it used to be that SAM could be accessed remotely by any network-connected
user, Windows 10 later introduced an option to control access to SAM and also m
odified the default permissions to permit remote access only to administrators.
The SAMRi10 script allows you to harden the remote access by giving SAM access t
o only members of a specific group. No, this is not discrimination, this is secu
rity protocols!
Harden Net Sessions Enumeration
Net Sessions Enumeration can be used by attackers to get information about the s
essions established on a server including computer names, usernames, session act
ive times, and IP addresses. NetSessionEnum can be executed by any authenticated
user by default. The Net Cease script alters this by giving you the ability to
remove the execute permissions for all authenticated users and instead add permi
ssions to particular sessions.
Run script as a process
One of the top recommended best practices from the point of view of security is
to use an account with the least privileges possible so that even if a session w
ere compromised, the loss would be limited to the bare minimum. This is particul
arly true when an administrator is running Active Directory. No you do not need
to wear Nike running shoes to run Active Directory. If you believe that, you are
in the wrong field.
This script allows you to run PowerShell scripts as a separate identity. In orde
r to start a script as a different identity, this script would have the console
program wait till the called script is completed, and then returns to the prompt
File system security module
This module makes managing file and folder permissions in Powershell very easy.
NTFSSecurity gives you cmdlets for a variety of tasks including day to day ones
like pulling up permission reports, adding permissions to an item and removing A
CEs (Access Control Entries). You can even use a cmdlet to get the specific perm
issions in place for a particular user.
Virus total report
Hackers are constantly on the lookout for high privilege accounts to try and log
in to systems on the network. This module searches for all the specified event l
ogs (with the security log being the default) on the specified machines (all the
domain controllers being the default) for logon events from particular users (t
he default setting is for all accounts which belong to tier 0 groups).
This module can help you assess which computers have been exposed in any suspect
ed attack using specific privileged accounts. It works with all the Windows vers
ions 7 and upwards.
SHA-1 Certificate signature check
Microsoft has plans to stop recognizing certificates with SHA-1 signatures. The
currently available plans are applicable to server authentication certificates a
nd those used to sign executables in a Windows environment (code signing and tim
e stamps).
Due to the complexity associated with handling certificates and PKI, it can be d
ifficult to determine whether SHA-1 deprecation actually applies to a certain ce
rtificate or application. This module does precisely that. It can check for TLS
certificates and applications (EXE s). No, it cannot change your car s oil or make you s
ome pancakes, so don t ask about that!
Detect local admins
PowerShell Security Scripts for Windows Administrators
Local admin groups are one of the biggest points of vulnerability for a system w
here hackers can create local admin accounts on specific systems without being n
oticed. This script routinely questions multiple machines for changes in local a
dmin groups and sends email reports whenever new members are added.
Kerberos Golden Ticket Check
Kerberos is a protocol and mechanism that allows nodes communicating over nonsec
ure networks to prove their identity to each other in a secure way. It is possib
le for a hacker who has gained entry into a computer to create what is called a
Kerberos ticket granting access. No, you cannot see your local baseball or baske
tball team play with these types of tickets! That is not going to work!
Such tickets are a way for hackers to be able to maintain system accesses for a
long period of time and keep ferreting away small amounts of data continuously.
This is what is called a golden ticket attack, one in which the hacker is able t
o create a ticket that is valid for 10 years (that is more than one season; that
is a lot of games without paying!) or even longer by manipulating domain contro
llers and Active Directory. These tickets can be generated once the hacker gets
his hands on an ID with domain administrator privileges. This script is a module
that can help in examining a computer s Kerberos ticket caches for such ticket gran
ting tickets.