9 essential PowerShell security scripts every admin must know

PowerShell is an advanced administration tool for Windows. Some end users with advanced knowledge or those who have worked with earlier versions of Windows may be more familiar with the humble command prompt via which you can run commands and scripts. PowerShell is similar but a lot more advanced in terms of functionality.

PowerShell gives you advanced functionalities for configuration management and task automation. The tool includes both a scripting language and a command line shell. It was built on the .Net Framework. PowerShell gives you an Integrated Scripting Environment (ISE), which gives you a GUI where you can get all your scripting done.

PowerShell has been the leading administration tool for Windows for more than a decade. But are you taking advantage of this tool to the fullest? Here are some essential PowerShell security tips for Windows administrators.

Clean up admin group

Having multiple users on a local administration group creates one of the biggest and most common loopholes for a hacker to break in to. This script gives you the ability to remove the names of multiple users from the local administrator groups of multiple computers in one shot. It takes in a text file with the names of users to be removed and another text file with the names of the machines on which this is to be done.

All you need to modify in the script before running it is to a) replace the name present in the variable $Computernames with the name of the text file containing the machine names, and b) replace the name present in the variable $Admins with the name of the text file containing the user names.

Harden SAM Access

Once hackers are able to breach a system through a particular point of vulnerability, they use compromised local and domain credentials to move around their victim network. One way to get all local and domain users along with group memberships to map possible routes in Windows 10 is to question the Security Account Manager remotely using the SAMR protocol.

While it used to be that SAM could be accessed remotely by any network-connected user, Windows 10 later introduced an option to control access to SAM and also modified the default permissions to permit remote access only to administrators. The SAMRi10 script allows you to harden the remote access by giving SAM access to only members of a specific group. No, this is not discrimination, this is security protocols!

Harden Net Sessions Enumeration

Net Sessions Enumeration can be used by attackers to get information about the sessions established on a server including computer names, usernames, session active times, and IP addresses. NetSessionEnum can be executed by any authenticated user by default. The Net Cease script alters this by giving you the ability to remove the execute permissions for all authenticated users and instead add permissions to particular sessions.

Run script as a process

One of the top recommended best practices from the point of view of security is to use an account with the least privileges possible so that even if a session were compromised, the loss would be limited to the bare minimum. This is particularly true when an administrator is running Active Directory. No you do not need to wear Nike running shoes to run Active Directory. If you believe that, you are in the wrong field.

This script allows you to run PowerShell scripts as a separate identity. In order to start a script as a different identity, this script would have the console program wait till the called script is completed, and then returns to the prompt.

File system security module

This module makes managing file and folder permissions in Powershell very easy. NTFSSecurity gives you cmdlets for a variety of tasks including day to day ones like pulling up permission reports, adding permissions to an item and removing ACEs (Access Control Entries). You can even use a cmdlet to get the specific permissions in place for a particular user.

Virus total report

Hackers are constantly on the lookout for high privilege accounts to try and login to systems on the network. This module searches for all the specified event logs (with the security log being the default) on the specified machines (all the domain controllers being the default) for logon events from particular users (the default setting is for all accounts which belong to tier 0 groups).

This module can help you assess which computers have been exposed in any suspected attack using specific privileged accounts. It works with all the Windows versions 7 and upwards.

SHA-1 Certificate signature check

Microsoft has plans to stop recognizing certificates with SHA-1 signatures. The currently available plans are applicable to server authentication certificates and those used to sign executables in a Windows environment (code signing and time stamps).

Due to the complexity associated with handling certificates and PKI, it can be difficult to determine whether SHA-1 deprecation actually applies to a certain certificate or application. This module does precisely that. It can check for TLS certificates and applications (EXE’s). No, it cannot change your car’s oil or make you some pancakes, so don’t ask about that!

Detect local admins

PowerShell Security Scripts for Windows Administrators

Local admin groups are one of the biggest points of vulnerability for a system where hackers can create local admin accounts on specific systems without being noticed. This script routinely questions multiple machines for changes in local admin groups and sends email reports whenever new members are added.

Kerberos Golden Ticket Check

Kerberos is a protocol and mechanism that allows nodes communicating over nonsecure networks to prove their identity to each other in a secure way. It is possible for a hacker who has gained entry into a computer to create what is called a Kerberos ticket granting access. No, you cannot see your local baseball or basketball team play with these types of tickets! That is not going to work!

Such tickets are a way for hackers to be able to maintain system accesses for a long period of time and keep ferreting away small amounts of data continuously.

This is what is called a golden ticket attack, one in which the hacker is able to create a ticket that is valid for 10 years (that is more than one season; that is a lot of games without paying!) or even longer by manipulating domain controllers and Active Directory. These tickets can be generated once the hacker gets his hands on an ID with domain administrator privileges. This script is a module that can help in examining a computer’s Kerberos ticket caches for such ticket granting tickets.

About The Author

3 thoughts on “9 essential PowerShell security scripts every admin must know”

  1. Very nice article, but with the exception of the URL – which does point to a Virustotal-querying script – everything else under the “Virustotal report” section is about checking for privileged logins. Please and thank you update the article to include write-ups on both scripts!

  2. I have to assume that a marketing *genius* chose the headline image for this one. Hilarious and ironic that this article displays a Linux root filesystem on an article describing powershell hot-tips.

    All in all, not a bad article. Local Admin access for standard users is one of the most commonly exploited loopholes on your average system. Also quite impressed you mentioned and provided a script for Golden Ticket mitigation.

    I would have liked to have seen remote execution of powershell scripts to be mitigated though. Powershell is powerful. Hackers think so too, so admins probably shouldn’t let it be run from remote systems 🙂

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top