In this guide, I’ll show you how to disable PowerShell with group policy. In addition, I’ll show you how to enable it for specific users such as administrations while leaving it disabled for all other users.
Why Disable PowerShell?
PowerShell is often used by malicious actors to spread malware throughout the network. PowerShell is enabled by default on Windows 10 for all users, attackers can utilize this tool to run malicious commands, access the file system, registry, and more. Ransomware is often distributed throughout the network via PowerShell. To learn more I recommend reading this white paper -> Security Primer – Ryuk
Steps to Disable PowerShell with Group Policy
Important:
This example blocks the original 32bit version of PowerShell. Your computers may have a different version or multiple versions installed (Core and 5.1). To Block all PowerShell versions you will need to create multiple path rules.
Step 1: Find the PowerShell.exe file path
By default PowerShell.exe is located in this folder -> C:\Windows\System32\WindowsPowerShell\v1.0
To verify this on your computer, open PowerShell, then open task manager, go to the details tab, scroll down to powershell.exe, right click and select “open file location”.
Windows explorer will open to the folder location of powershell.exe. Make a note of this location as it will be needed in a later step.
Step 2: Create GPO to block PowerShell.exe
1. Open the Group Policy Management Console
Now, create and link a new GPO to the organizational unit that has the user accounts you want to block access for. I have all of my users in an organizational unit called “ADPRO Users” so I will link it there.
Give the new GPO a name. I like to be descriptive with names so it’s easy to understand it.
You have now created a new GPO, the next step will be to edit the settings.
2. Edit the GPO and navigate to -> User Configuration -> Policies -> Windows Settings -> Security Settings -> Software Restriction Policies
Now right-click “Software Restriction Policies” and select “New Software Restriction Policies”
Select “Additional Rules”, then right-click and select “New Path Rule”
Now click the browse button and select the powershell.exe file from the path in step 1. Most common path is -> C:\Windows\System32\WindowsPowerShell\v1.0.
Set the security level to “Disallowed” Click OK.
Tip: Another option is to use a hash rule. The benefit of a hash rule is it will block the file no matter its location. For example, if PowerShell tried to run from c:\it\ it would be blocked due to the hash rule, not the file path. The only drawback to this is you would need a hash rule for every version of PowerShell.
Next, reboot your computer for the policy to take effect. Now when you try to run PowerShell you should receive the following message.
You can repeat these steps for PowerShell ISE or any other application you want to block.
This blocks it for any user in the OU you applied the GPO to. To enable it for specific users follow the steps below.
Step 2: Allow PowerShell for Administrators
In this section, I’ll show you how to block PowerShell for users but keep it enabled for administrators.
1. Create a new Active Directory Security group.
Name it whatever you want, I like to be descriptive with objects so other administrators can quickly understand what it is used for. I named my group “GPO – Enable PowerShell”
Now add any user as a member to this group that you want to have the rights to run PowerShell.
2. Modify GPO Delegation
Now go back to the GPO you created in step 1 and click on the delegation tab.
Click “Advanced”
Click “Add” then select the security group you created that has users you want to enable PowerShell for. Click OK.
In the permissions section make sure the group is selected and it has only these permissions
- Read is set to “allow”
- Apply group policy is set to “Deny”
Click OK.
Now any user you add to the security group will get denied this policy and enable them to run PowerShell.
Conclusion
PowerShell is a great tool for administrators but it is being abused more and more by malicious actors to spread ransomware throughout the network. I recommend adhering to the principle of least privilege and ensuring users have the minimal level of access needed to perform their work duties. Most users don’t need PowerShell so it is recommended to disable it for those users. Ensure you test these types of changes before rolling it out company wide and get approval with documentation to cover yourself. Change management is great for these types of system wide changes.