Back to Details

powershell-security-hardening

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

PowerShell Security Hardening

PowerShell安全加固

Purpose

用途

Provides expertise in Windows security hardening and PowerShell security configuration. Specializes in securing automation scripts, implementing Just Enough Administration (JEA), enforcing least privilege, and aligning with enterprise security baselines.
提供Windows安全加固与PowerShell安全配置方面的专业支持,专注于自动化脚本安全防护、Just Enough Administration (JEA)实施、最小权限管控以及与企业安全基线对齐。

When to Use

适用场景

  • Configuring PowerShell security policies
  • Implementing Constrained Language Mode
  • Setting up Just Enough Administration (JEA)
  • Enabling PowerShell logging and auditing
  • Securing automation credentials
  • Applying CIS/STIG baselines
  • Protecting against PowerShell attacks
  • Implementing execution policies
  • 配置PowerShell安全策略
  • 实施Constrained Language Mode
  • 部署Just Enough Administration (JEA)
  • 启用PowerShell日志记录与审计
  • 保护自动化凭据安全
  • 应用CIS/STIG安全基线
  • 防御PowerShell攻击
  • 执行策略实施

Quick Start

快速入门

Invoke this skill when:
  • Hardening PowerShell environments
  • Implementing JEA or constrained language mode
  • Configuring PowerShell logging
  • Securing automation credentials
  • Applying security baselines
Do NOT invoke when:
  • General Windows administration → use 
    /windows-infra-admin
  • PowerShell development → use 
    /powershell-7-expert
  • Active Directory security → use 
    /ad-security-reviewer
  • Network security → use 
    /network-engineer
在以下场景调用此技能:
  • 加固PowerShell环境
  • 实施JEA或受限语言模式
  • 配置PowerShell日志
  • 保护自动化凭据
  • 应用安全基线
请勿在以下场景调用:
  • 通用Windows管理 → 使用
    /windows-infra-admin
  • PowerShell开发 → 使用
    /powershell-7-expert
  • Active Directory安全 → 使用
    /ad-security-reviewer
  • 网络安全 → 使用
    /network-engineer

Decision Framework

决策框架

Security Requirement?
├── Script Execution Control
│   ├── Basic → Execution Policy
│   └── Strict → AppLocker/WDAC
├── Language Restriction
│   └── Constrained Language Mode
├── Privilege Reduction
│   └── JEA (Just Enough Administration)
└── Auditing
    └── Script Block Logging + Transcription
Security Requirement?
├── Script Execution Control
│   ├── Basic → Execution Policy
│   └── Strict → AppLocker/WDAC
├── Language Restriction
│   └── Constrained Language Mode
├── Privilege Reduction
│   └── JEA (Just Enough Administration)
└── Auditing
    └── Script Block Logging + Transcription

Core Workflows

核心工作流

1. PowerShell Logging Setup

1. PowerShell日志配置

  1. Enable Script Block Logging via GPO
  2. Enable Module Logging for key modules
  3. Configure transcription to secure location
  4. Set up protected event log forwarding
  5. Create alerts for suspicious patterns
  6. Test logging with sample scripts
  1. 通过组策略(GPO)启用脚本块日志记录
  2. 为关键模块启用模块日志记录
  3. 将转录日志配置到安全存储位置
  4. 设置受保护的事件日志转发
  5. 为可疑行为模式创建告警
  6. 使用示例脚本测试日志功能

2. JEA Configuration

2. JEA配置

  1. Define role capabilities file
  2. Specify allowed cmdlets and parameters
  3. Create session configuration
  4. Register JEA endpoint
  5. Test with limited user account
  6. Document role assignments
  1. 定义角色能力文件
  2. 指定允许的cmdlet与参数
  3. 创建会话配置
  4. 注册JEA端点
  5. 使用受限用户账户进行测试
  6. 记录角色分配情况

3. Constrained Language Mode

3. Constrained Language Mode配置

  1. Assess application requirements
  2. Create AppLocker/WDAC policy
  3. Enable CLM for untrusted scripts
  4. Whitelist required scripts
  5. Test application functionality
  6. Monitor for bypass attempts
  1. 评估应用程序需求
  2. 创建AppLocker/WDAC策略
  3. 为不受信任的脚本启用Constrained Language Mode
  4. 将必要脚本加入白名单
  5. 测试应用程序功能
  6. 监控绕过尝试

Best Practices

最佳实践

  • Enable script block logging on all systems
  • Use JEA instead of full admin rights
  • Store credentials in secure vault (not scripts)
  • Apply AMSI for malware detection
  • Use signed scripts with AllSigned policy
  • Regularly audit PowerShell usage logs
  • 在所有系统上启用脚本块日志记录
  • 使用JEA替代完全管理员权限
  • 将凭据存储在安全密钥库中(而非脚本内)
  • 应用AMSI进行恶意软件检测
  • 使用AllSigned策略运行已签名脚本
  • 定期审计PowerShell使用日志

Anti-Patterns

反模式

Anti-PatternProblemCorrect Approach
Credentials in scriptsExposure riskSecretManagement vault
Disabled loggingNo visibilityEnable all logging
Bypass execution policySecurity theaterAppLocker/WDAC
Full admin for automationOver-privilegedJEA with minimal rights
Ignoring AMSIMalware blind spotKeep AMSI enabled
反模式问题正确做法
脚本中存储凭据凭据泄露风险使用SecretManagement密钥库
禁用日志记录无安全可见性启用全部日志功能
绕过执行策略安全形同虚设使用AppLocker/WDAC
自动化使用完全管理员权限权限过度授予使用最小权限的JEA
忽略AMSI恶意软件检测盲区保持AMSI启用状态