locked
Disable PoSh 2.0 in Windows Server 2008R2 SP1 RRS feed

  • Question

  • Hi,

    I'm looking to disable PowerShell 2.0 on Windows 2008R2 in a supported way or a way to force the use only v5.1? It is for security reason and avoid an attacker to bypass the new v5 security features.

    Anyone knows how to do it?

    Thanks,
    Julien

    Saturday, May 20, 2017 2:00 PM

All replies

  • Just remove the feature under roles and features in computer management.


    \_(ツ)_/

    • Proposed as answer by Hello_2018 Monday, May 22, 2017 7:48 AM
    Saturday, May 20, 2017 3:41 PM
  • Thanks but it is not available on 2008R2 SP1, that's the problem.
    Monday, May 22, 2017 11:08 AM
  • On 2006R2 it is installed by default and cannot be removed. It is required by the OS.  On later versions the V2 support is optional.

    The PS ISE component is optional and can be removed.


    \_(ツ)_/


    • Edited by jrv Monday, May 22, 2017 11:32 AM
    • Marked as answer by Julien Vailles Monday, May 22, 2017 2:13 PM
    • Unmarked as answer by Julien Vailles Monday, May 22, 2017 2:13 PM
    Monday, May 22, 2017 11:31 AM
  • Thanks I came to the same conclusion. The thing is I want to prevent v2 script to run and force them to run in v5, so there is no way to do this with Windows 2008R2? which is a big deal in term of security. Don't you agree?
    Monday, May 22, 2017 2:12 PM
  • Hi Julien,

    maybe, but isn't it kind of a big deal to still be running 2008 R2 if security is your priority?

    Cheers,
    Fred


    There's no place like 127.0.0.1

    Monday, May 22, 2017 2:17 PM
  • Hi Fred,

    Windows 2008 R2 is still supported until 2020 and getting his security patches. I understand it can't run the latest security features but be able to disable PoSh v2 should be possible. On a side note, we are in the process to migrate to Windows 2016 but as you know it takes time :)

    Monday, May 22, 2017 3:13 PM
  • WS2008R2 can run all of the latest security features and runs WMF 5 just fine.

    PS2 I required for Exchange and SharePoint only if they are not patched to current levels. Exchange 2010 is now being removed from service and is only supportable with the latest updates.


    \_(ツ)_/

    Monday, May 22, 2017 3:22 PM
  • Thanks I came to the same conclusion. The thing is I want to prevent v2 script to run and force them to run in v5, so there is no way to do this with Windows 2008R2? which is a big deal in term of security. Don't you agree?

    If you upgrade wo WMF 5 then there is no V2.  It is just WMF 5 set to V2 compatibility.


    \_(ツ)_/

    Monday, May 22, 2017 3:26 PM
  • Thanks I came to the same conclusion. The thing is I want to prevent v2 script to run and force them to run in v5, so there is no way to do this with Windows 2008R2? which is a big deal in term of security. Don't you agree?

    If you upgrade wo WMF 5 then there is no V2.  It is just WMF 5 set to V2 compatibility.


    \_(ツ)_/

    You can still do a "powershell.exe -version 2" and bypass all v5 security features. In other OS, you can disable the v2 engine and force anyone to run in v5. I'd like to do the same with 2k8R2 or a way to force v5 like a system variable to force the v5 version (e.g. __PSLockdownPolicy to force the constrained language). 
    Monday, May 22, 2017 3:42 PM
  • You can use -version 2 on all versions of PowerShell on all systems.

    \_(ツ)_/

    Monday, May 22, 2017 3:48 PM
  • You can use -version 2 on all versions of PowerShell on all systems.

    \_(ツ)_/

    I have to disagree with this one, check out the print screen from Windows 2016 when running powershell.exe -version 2 without the Windows PowerShell Engine 2.0 installed.


    Monday, May 22, 2017 9:05 PM
  • That is only because Net 2 is optional on 2016.  It s not optional on 2008R2.  This has nothing to do with security.

    \_(ツ)_/


    • Edited by jrv Monday, May 22, 2017 9:59 PM
    Monday, May 22, 2017 9:59 PM
  • Yes PoSh 2.0 is part of .Net 2, if you install .Net 2 you install PoSh 2.0 engine and then you can use -version 2.
    I know it is not optional on 2008R2, I am asking if there is a way to prevent access to the version 2 even if it is installed otherwise it is pointless to implement new v5 security features on 2K8R2 because it can be easily bypass with a simple -version 2, do you understand that? So yes it has to do with security (https://adsecurity.org/?p=2921).

    Monday, May 22, 2017 10:48 PM
  • What security features are you referring to?

    Upgrading to PSS 5 will replace the old V2 engine. The new engine just supports V2 syntax and restricts access to any non-V2 CmdLets.

    The installable V2 engine /Support is only there because there are still some vendors who cannot support V3 or later and require an explicit V2 launched.

    If you upgrade 2008r2 you will have the new Vn engine but you will break unpatched versions of Exchange/SharePoint and other packages.


    \_(ツ)_/


    • Edited by jrv Monday, May 22, 2017 11:17 PM
    Monday, May 22, 2017 11:16 PM
  • For example the new logging feature (https://adsecurity.org/?page_id=1821) to detect the invoke of mimikatz or other nasty stuff.

    Detecting Invoke-Mimikatz:

    • Ensure all Windows systems have PowerShell v3 or newer. Newer versions of PowerShell have better logging features, especially PowerShell v5.
    • Enable PowerShell Module Logging via Group Policy: Computer Configuration, Policies, Administrative Templates, Windows Components, and Windows PowerShell,Turn on Module Logging. Enter “*” and click OK. This will log all PowerShell activity including all PowerShell modules.

    Do the test yourself, enable the logging/script block logging, run a cmdlet using PowerShell v5 and check the log Windows PowerShell, you'll see the cmdlets you invoked.

    Run the same cmdlets with a powershell.exe -version 2 and you won't see anything.

    My point is when running with the version 2, you bypass all new security features (language constrained, logging, system-wide transcription, protected event logging, etc..).

    That's why most PoSh exploit are built for PowerShell 2 so it can run in version 2 and bypass all those new security features and that's why I want to disable it, does it make sense?

    Look at one of the most famous PoSh exploitation framework https://github.com/EmpireProject/Empire and what they recommand

    • PowerShell Version 2 compatibility is STRONGLY preferred.
     


    Monday, May 22, 2017 11:48 PM
  • Which is why we use AllSigned and sign scripts.  If you read all of the discovered exploits you will find all versions of PowerShell can be exploited and with no residue.


    \_(ツ)_/

    Tuesday, May 23, 2017 12:02 AM
  • Yes true, in security you are still trying to mitigate the risk and prevent access to PoSh 2.0 is one of them, I am saying it is perfect, but it is better, that's it!

    So I am still looking for a way to disable it or prevent access to it ... I think it is going to be hard.

    Tuesday, May 23, 2017 12:12 AM
  • You cant on WS2008r2.  You can only upgrade WMF.


    \_(ツ)_/

    • Proposed as answer by Hello_2018 Monday, June 5, 2017 8:31 AM
    Tuesday, May 23, 2017 12:23 AM
  • Shame, anyway thanks for your effort! :)
    • Proposed as answer by nNipsx Thursday, November 8, 2018 7:16 AM
    Tuesday, May 23, 2017 8:52 AM
  • i think MS should be add feature to disable PS 2.0 soon or some patch can make PS 2.0 can be logging like 5.0. :)
    Thursday, November 8, 2018 7:18 AM