Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
669 Views 4 Replies Latest reply: Jul 6, 2013 8:15 PM by sdelvecchio RSS
awsomaha Newcomer 26 posts since
Oct 27, 2004
Currently Being Moderated

Jun 28, 2013 9:42 AM

Block Powershell

I recently received a request from our windows admins to block powershell on a few servers.  My question is, can that be done using access protection?  I have tried using the path, the executable, neither seems to work, any ideas if this is even possible?

  • Laszlo G Veteran 1,213 posts since
    May 23, 2007
    Currently Being Moderated
    1. Jul 2, 2013 2:50 AM (in response to awsomaha)
    Re: Block Powershell

    I've tried setting a user-defined rule under access protection and it worked for me but only using full path instead of %systemroot%

     

    ps1.JPG

     

    ps2.JPG

     

    ps3.JPG

  • tornadoro Newcomer 3 posts since
    Mar 14, 2010
    Currently Being Moderated
    2. Jul 4, 2013 3:15 PM (in response to Laszlo G)
    Re: Block Powershell

    Hi there.

     

    Must you use McAfee*something?

     

    Cant you create a software restriction policy like in the attached images?

    You can do it by path (%systemroot% bla bla ) and also by hash, so you could re-enforce it(if I may say so).

    I did a test with write.exe and it seems to work the way I think you want...

     

    Take care...

     

    01.png02.png

  • petersimmons McAfee Employee 230 posts since
    Dec 22, 2009
    Currently Being Moderated
    3. Jul 6, 2013 8:02 PM (in response to awsomaha)
    Re: Block Powershell

    I am unsure if that is a long term fix for servers. There are a lot of functions within servers (especially 2012) that just won't work without it. You might be able to block PS but that might prevent any type of change.

     

    It might be safer to remove PS from servers instead. That way Windows is aware is missing and will gracefully stop.

     

    Long term using Application Control is definitely a better solution.

  • sdelvecchio The Place at McAfee Member 75 posts since
    Jan 8, 2010
    Currently Being Moderated
    4. Jul 6, 2013 8:16 PM (in response to awsomaha)
    Re: Block Powershell

    My first question would be why do they need to block PS? I would assume it has to do with not allowing anyone from running tasks with it. If that is the case, using McAfee to restrict an intergral Microsoft system on a Microsoft server or workstation is best managed using the Microsoft tools such as a security policy, GPO or system ACLs.

     

    This is like creating a wheel and then having to create a wedge to stop the wheel from rolling.

     

    Message was edited by: sdelvecchio on 7/6/13 8:16:50 PM CDT

    Stephen Del Vecchio

    MFE_Certified_PS_black.jpg MCSE.gif

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points