{"id":6365,"date":"2019-03-19T09:45:08","date_gmt":"2019-03-19T14:45:08","guid":{"rendered":"https:\/\/www.poweradmin.com\/blog\/?p=6365"},"modified":"2019-03-05T16:00:17","modified_gmt":"2019-03-05T22:00:17","slug":"using-powershell-5-in-windows-7","status":"publish","type":"post","link":"https:\/\/www.poweradmin.com\/blog\/using-powershell-5-in-windows-7\/","title":{"rendered":"Using PowerShell 5 in Windows 7"},"content":{"rendered":"

By Des Nnochiri<\/span><\/strong><\/span><\/p>\n

\u00a0<\/p>\n

PowerShell has long been a go-to utility for Windows network users, and Windows 7 remains a powerful player in the Microsoft ecosystem. Though the company plans to withdraw support for the operating system in 2020, Windows 7 is still the Windows variant of choice for many users across the globe. <\/span><\/p>\n

\u00a0<\/span><\/p>\n

It\u2019s particularly popular in developing economies, where access to powerful hardware or the online connectivity needed to cope with the demands of Microsoft\u2019s grueling schedules of Windows 10 updates simply aren\u2019t available. Elsewhere, the ease of use, stronger privacy controls, and familiar interface of Windows 7 make it the preferred choice over Windows 10. <\/span><\/p>\n

\u00a0<\/span><\/p>\n

Whatever the circumstances, there\u2019s still life in the old Windows 7 as of yet.<\/span><\/p>\n

\u00a0<\/span><\/p>\n

As for PowerShell, Microsoft\u2019s task automation and configuration management framework has been open-source and cross-platform since August 2016 following the introduction of PowerShell Core. The utility retains its interface of a command-line shell and associated scripting language, from which administrative tasks are generally performed by \u201ccommand-lets\u201d or cmdlets.<\/span><\/p>\n

\u00a0<\/p>\n

\"\"<\/a><\/p>\n

\u00a0<\/p>\n

(Image source: <\/span>Wikipedia<\/a><\/span>)<\/span><\/p>\n

\u00a0<\/span><\/p>\n

The Need to Upgrade PowerShell on Windows 7<\/span><\/h2>\n

\u00a0<\/span><\/p>\n

PowerShell cmdlets work by accessing data from different data stores, such as the Windows 7 file system or registry. These repositories are made available to the program through various providers, which now include third parties due to the open source nature of the utility. <\/span><\/p>\n

\u00a0<\/span><\/p>\n

Since its launch in 2006, PowerShell\u2019s event logging functions have evolved considerably\u2014to the extent that the Windows 10 version of PowerShell has much more robust logging than its earlier iterations. Upgrading a Windows 7 PowerShell installation to version 5.x of the program makes these capabilities available to users of the older operating system.<\/span><\/p>\n

\u00a0<\/span><\/p>\n

Installing PowerShell 5<\/span><\/h2>\n

\u00a0<\/span><\/p>\n

Before <\/span>installing PowerShell 5 on Windows 7<\/a><\/span>, it\u2019s necessary to be running a system that already has Windows Management Framework 4.0 and the .NET Framework 4.5 installed. If you don\u2019t have a pre-existing installation of either or both of these environments, you\u2019ll need to install them first.<\/span><\/p>\n

\u00a0<\/span><\/p>\n

From that starting point, you can then install <\/span>Windows Management Framework 5.1<\/a><\/span>, which includes essential updates to Windows PowerShell that allow (among other things) improved PowerShell usage auditing with Transcription and Logging and enhanced PowerShell Script Debugging.<\/span><\/p>\n

\u00a0<\/span><\/p>\n

Enabling Enhanced Logging<\/span><\/h2>\n

\u00a0<\/span><\/p>\n

For Windows 7, enhanced logging may be enabled through Group Policy by going to Administrative Templates > Windows Components > Windows PowerShell. Settings may be configured as in the screenshot below.<\/span><\/p>\n

\u00a0<\/span><\/p>\n

\"\"<\/a><\/p>\n

\u00a0<\/p>\n

(Image source: <\/span>CSO Online)<\/a><\/span><\/p>\n

\u00a0<\/span><\/p>\n

Configuration Options<\/span><\/h2>\n

\u00a0<\/span><\/p>\n

The \u201cTurn on Module logging\u201d setting records portions of scripts and decrypted or de-obfuscated code. It logs events to event ID 4103 in the Windows PowerShell log. The Get-Module -ListAvailable PowerShell cmdlet displays a list of available modules from which you can choose the specific ones that you wish to track. If you wish to audit all the available modules in a system, use the wildcard variable (*).<\/span><\/p>\n

\u00a0<\/span><\/p>\n

\u201cTurn on PowerShell Script Block logging\u201d records whenever blocks of code are executed and is instrumental in guarding against cyber-attacks or insertions of malicious code in your network environment. Tracking is enabled for both complete scripts and individual commands.<\/span><\/p>\n

\u00a0<\/span><\/p>\n

PowerShell Transcription logging is another option that\u2019s useful in identifying potential avenues of attack. It provides a real-time transcript of each PowerShell session with input and output events.<\/span><\/p>\n

\u00a0<\/span><\/p>\n

\"\"<\/a><\/p>\n

\u00a0<\/p>\n

(Image source: <\/span>CSO Online<\/a><\/span>)<\/span><\/p>\n

\u00a0<\/span><\/p>\n

For best results, the PowerShell event log should be as large as possible, one gigabyte of storage being the optimum desirable for a Windows 7 network environment. Ideally, log files should be exported from machines for later review in sensitive or secure environments.\u00a0\u00a0\u00a0 <\/span><\/p>\n

\u00a0<\/span><\/p>\n

\"\"<\/a><\/p>\n

\u00a0<\/p>\n

(Image source: <\/span>CSO Online<\/a><\/span>)<\/span><\/p>\n

\u00a0<\/span><\/p>\n

PowerShell Security Scripts <\/span><\/h2>\n

\u00a0<\/span><\/p>\n

PowerShell provides full access to COM and WMI, enabling administrators to perform administrative tasks on Windows systems both locally and remotely. In addition, WS-Management and CIM enabling management of remote Linux systems and network devices may be coordinated through PowerShell. The PowerShell hosting API (application programming interface) allows the PowerShell runtime to be embedded inside other applications. <\/span><\/p>\n

\u00a0<\/span><\/p>\n

Features like this can increase the exposure of a network to attack vectors, so take precautionary steps to prevent or mitigate such attacks. PowerShell\u2019s scripting and automation capabilities can assist in this. Following Microsoft\u2019s purchase of Github in June 2018, PowerShell users now have access to an extensive <\/span>library of third party security scripts<\/a><\/span>, including the examples described below.<\/span><\/p>\n

\u00a0<\/span><\/p>\n

POSH-Sysmon<\/span><\/h2>\n

\u00a0<\/span><\/p>\n

Microsoft\u2019s Sysmon (system monitor) tool monitors systems and adds fine controls for configuring events to be tracked, even after a reboot. The PowerShell POSH-Sysmon script is based on PowerShell 3.0 or above and enables the use of PowerShell to create and manage Sysinternals Sysmon v2.0 configuration files. Events collected by the system monitor may be later analyzed and checked for malicious or anomalous activity. <\/span><\/p>\n

\u00a0<\/span><\/p>\n

Remove-LocalAdmins Masive<\/span><\/h2>\n

\u00a0<\/span><\/p>\n

The Remove-LocalAdmins Masive script enables network administrators to remove common local administrator passwords, which are often stolen and exploited by cyber criminals to facilitate sideways attacks across a network. The script analyzes all the computers specified in a given text file, looking for all the users listed in another file and then removes those users.<\/span><\/p>\n

\u00a0<\/span><\/p>\n

SecurityPolicyDsc<\/span><\/h2>\n

\u00a0<\/span><\/p>\n

The PowerShell SecurityPolicyDsc script can be used to set local security policies based on internal company practices and external recommendations, such as those from the Center for Internet Security. Once a standard workstation has been set up according to these policies and tested, PowerShell may also be used to recreate those settings across your organization. <\/span><\/p>\n

\u00a0<\/span><\/p>\n

Posh-SecMod for Network Discovery<\/span><\/h2>\n

\u00a0<\/span><\/p>\n

Posh-SecMod consists of a bundle of scripts dedicated to the task of network discovery: reviewing what outsiders can see on your network and revealing how this knowledge might be exploited. Its modules include tools for general network discovery, scanning system registries, database functions, and system auditing.<\/span><\/p>\n

\u00a0<\/span><\/p>\n

MicroBurst for Cloud Protection<\/span><\/h2>\n

\u00a0<\/span><\/p>\n

MicroBurst consists of a collection of PowerShell scripts that can be used for the security penetration testing of Azure cloud deployments. The scripts support Azure Services discovery, weak configuration auditing, and post-exploitation actions, such as credential dumping. <\/span><\/p>\n

\u00a0<\/span><\/p>\n

With an installation of PowerShell 5.x in place\u2014and the judicious use of customized scripts\u2014it\u2019s possible to enjoy enhanced system logging and to securely automate your Windows 7 network environment.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

By Des Nnochiri \u00a0 PowerShell has long been a go-to utility for Windows network users, and Windows 7 remains a powerful player in the Microsoft ecosystem. Though the company plans to withdraw support for the operating system in 2020, Windows 7 is still the Windows variant of choice for many users across the globe. \u00a0 […]<\/p>\n","protected":false},"author":15,"featured_media":6375,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,13,9,8],"tags":[405,571,572,553,310,567,551,552,318,560,565,554,252,443,188,563,134,569,475,556,573,561,550,558,564,559,566,527,570,62,469,549,562,557,439,555,92,470,568],"class_list":["post-6365","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general-it","category-pc-security","category-technical","category-windows","tag-api","tag-azure","tag-azure-services","tag-cmdlets","tag-code","tag-com","tag-command-line-shell","tag-command-lets","tag-cyber-attack","tag-enhanced-logging","tag-event-log","tag-logging","tag-microsoft","tag-microsoft-network","tag-network","tag-network-security","tag-pc-security","tag-posh-sysmon","tag-powershell","tag-powershell-5","tag-powershell-5-x","tag-powershell-configuration","tag-powershell-core","tag-powershell-script-debugging","tag-powershell-transcription","tag-script-debugging","tag-security-script","tag-shell-command","tag-sysmon","tag-windows","tag-windows-10","tag-windows-7","tag-windows-configuration","tag-windows-management-framework","tag-windows-network","tag-windows-operating-system","tag-windows-powershell","tag-windows-security","tag-wmi"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts\/6365","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/users\/15"}],"replies":[{"embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/comments?post=6365"}],"version-history":[{"count":4,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts\/6365\/revisions"}],"predecessor-version":[{"id":6376,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts\/6365\/revisions\/6376"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/media\/6375"}],"wp:attachment":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/media?parent=6365"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/categories?post=6365"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/tags?post=6365"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}