PowerShell was the source of more than a third of critical security threats detected by Cisco Secure Endpoint in the second half of 2020.
Dual-use tool exploitation was the top threat category detected by Cisco, followed by ransomware, fileless malware, and credential dumping, with PowerShell a primary vector in those last two categories also.
Ransomware has been in the headlines quite a bit, thanks to the devastating Colonial Pipeline attack, but it’s important for server admins to note that PowerShell is a significantly more common attack vector.
Cisco Secure Endpoint is an endpoint detection and response (EDR) tool, which can monitor endpoints like servers and PCs and respond to security breaches. Cisco recommends a number of protection steps that are, naturally, made easier with Cisco Secure Endpoint, and other EDR tools are also generally effective against PowerShell exploits.
There are a number of steps admins can (and should) take that are completely free, like preventing or restricting PowerShell execution in non-admin accounts, allowing execution of signed scripts only, and using Constrained Language mode.
The Center for Internet Security offers a number of steps admins can take to help secure PowerShell.
Only network admins and other IT pros need access to the Microsoft command-line interface tool, CIS notes, so prevent or restrict its execution and allow execution of signed scripts only. Disable or restrict Windows Remote Management too.
CIS includes a tutorial for for managing Script Execution in Group Policy Settings.
To Turn on Script Execution in Group Policy settings:
To Turn on Script Execution policy settings:
Digital risk management vendor Digital Shadows also offers a number of PowerShell security tips, including using Constrained Language mode, and NetSPI discusses 15 ways that PowerShell execution policies can be bypassed. PowerShell Protect is a downloadable tool that integrates with the Antimalware Scan Interface to audit and block scripts before they execute.
See more PowerShell news and tutorials
eSecurity Editor Paul Shread has covered nearly every aspect of enterprise technology in his 20+ years in IT journalism, including an award-winning series on software-defined data centers. He wrote a column on small business technology for Time.com, and covered financial markets for 10 years, from the dot-com boom and bust to the 2007-2009 financial crisis. He holds a market analyst certification.
ServerWatch is a top resource on servers. Explore the latest news, reviews and guides for server administrators now.
Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.
