4 Replies Latest reply: Jul 6, 2013 8:16 PM by sdelvecchio RSS

    Block Powershell


      I recently received a request from our windows admins to block powershell on a few servers.  My question is, can that be done using access protection?  I have tried using the path, the executable, neither seems to work, any ideas if this is even possible?

        • 1. Re: Block Powershell
          Laszlo G

          I've tried setting a user-defined rule under access protection and it worked for me but only using full path instead of %systemroot%







          • 2. Re: Block Powershell

            Hi there.


            Must you use McAfee*something?


            Cant you create a software restriction policy like in the attached images?

            You can do it by path (%systemroot% bla bla ) and also by hash, so you could re-enforce it(if I may say so).

            I did a test with write.exe and it seems to work the way I think you want...


            Take care...



            • 3. Re: Block Powershell

              I am unsure if that is a long term fix for servers. There are a lot of functions within servers (especially 2012) that just won't work without it. You might be able to block PS but that might prevent any type of change.


              It might be safer to remove PS from servers instead. That way Windows is aware is missing and will gracefully stop.


              Long term using Application Control is definitely a better solution.

              • 4. Re: Block Powershell

                My first question would be why do they need to block PS? I would assume it has to do with not allowing anyone from running tasks with it. If that is the case, using McAfee to restrict an intergral Microsoft system on a Microsoft server or workstation is best managed using the Microsoft tools such as a security policy, GPO or system ACLs.


                This is like creating a wheel and then having to create a wedge to stop the wheel from rolling.


                Message was edited by: sdelvecchio on 7/6/13 8:16:50 PM CDT