In this guide, I’ll show you how to disable PowerShell with group policy. In addition, I’ll show you how to enabled it for specific users such as administrations while leaving it disabled for all other users.
Why Disable PowerShell?
PowerShell is often used by malicious actors to spread malware throughout the network. PowerShell is enabled by default on Windows 10 for all users, attackers can utilize this tool to run malicious commands, access the file system, registry and more. Ransomware is often distributed throughout the network via PowerShell. To learn more I recommend reading this white paper -> Security Primer – Ryuk
Steps to Disable PowerShell with Group Policy
Step 1: Find the PowerShell.exe file path
By default PowerShell.exe is located in this folder -> C:\Windows\System32\WindowsPowerShell\v1.0
To verify this on you computer, open powershell, then open task manager, go to the details tab, scroll down to fine powershell.exe, right click and select “open file location”.
Windows explorer will open to the folder location of powershell.exe. Make a note of this location as it will be needed in a later step.
Step 2: Create GPO to block PowerShell.exe
1. Open the Group Policy Management Console
Now, create and link a new GPO to the organizational unit that has the user accounts you want to block access for. I have all of my users in an organizational unit called “ADPRO Users” so I will link it there.
Give the new GPO a name. I like to be descriptive with names so it’s easy to understand it.
You have now created a new GPO, next step will be to edit the settings.
2. Edit the GPO and navigate to -> User Configuration -> Policies -> Windows Settings -> Security Settings -> Software Restriction Policies
Now right click “Software Restriction Policies” and select “New Software Restriction Policies”
Select “Additional Rules”, then right click and select “New Path Rule”
Now click the browse button and select the powershell.exe file from the path in step 1. Most common path is -> C:\Windows\System32\WindowsPowerShell\v1.0.
Set the security level to “Disallowed” Click OK.
Now reboot your computer for the policy to take effect. Now when you try to run PowerShell you should receive the following message.
You can repeat these steps for PowerShell ISE or any other application you want to block.
This blocks it for any user in the OU you applied the GPO to. To enable it for specific users follow the steps below.
Step 2: Allow PowerShell for Administrators
In this section I’ll show you how to enable group policy for specific users such as administrators.
1. Create a new Active Directory Security group.
Name it whatever you want, I like to be descriptive with objects so other administrators can quickly understand what it is used for. I named my group “GPO – Enable PowerShell”
Now add any user as a member to this group that you want to have the rights to run PowerShell.
2. Modify GPO Delegation
Now go back to the GPO you created in step 1 and click on the delegation tab.
Click “Add” then select the security group you created that has users you want to enable PowerShell for. Click OK.
In the permissions section make sure the group is selected and it has only these permissions
- Read is set to “allow”
- Apply group policy is set to “Deny”
Now any user you add to the security group will get denied this policy and allow them to run PowerShell.
PowerShell is a great tool for administrators but it is being abused more and more by malicious actors to spread ransomare thought the network. I recommend to adhere to the principal of least privilege and ensure users have the minimal level of access needed to perform their work duties. Most users don’t need PowerShell so it is recommend to disable it for those users. Ensure you test these types of changes before rolling it our company wide and get approval with documentation to cover yourself. Change management is great for these types of system wide changes.
Recommended Tool: SolarWinds Server & Application Monitor
This utility was designed to Monitor Active Directory and other critical services like DNS & DHCP. It will quickly spot domain controller issues, prevent replication failures, track failed logon attempts and much more.
What I like best about SAM is it’s easy to use dashboard and alerting features. It also has the ability to monitor virtual machines and storage.