Compliance Auditing with Microsoft PowerShell
Compliance Auditing with PowerShell
Microsoft's PowerShell framework has been part of their product line for quite some time. In recent years, it has played a major role in new operating system versions (such as Window 7 and Windows Server 2008) thanks to its inclusion in common engineering criteria. All future Microsoft server products will have PowerShell support integrated in them by default. This means Microsoft products will benefit from a single management interface, rather than a mixed usage of the registry, WMI, or other system files/utilities.
For those unfamiliar with PowerShell, it's a command-line shell meant to perform administrative tasks using cmdlets. Cmdlets are purpose-built commands designed to accomplish specific tasks for reading registry keys, files, wmi-objects, starting and stopping Windows services and a host of other tasks. A wide range of cmdlets and their usage are documented on Microsoft's website.
The ability to run PowerShell cmdlets remotely opens up interesting possibilities from a compliance perspective. For example, it's now possible to read a file, apply several different filters and determine compliance. You can also run a cmdlet and let the user review the output, then tailor the output as needed. Tenable recently added an AUDIT_POWERSHELL check to Windows compliance checks which allows users to do just that, right from an .audit file. Below is the basic syntax:
<custom_item> type: AUDIT_POWERSHELL description: "Powershell check" value_type: [value_type] value_data: [value] powershell_args: ["arguments for powershell.exe"] (optional) only_show_cmd_output : YES or NO (optional) check_type : [CHECK_TYPE] (optional) severity : ["HIGH" or "MEDIUM" or "LOW"] (optional) powershell_option : CAN_BE_NULL (optional) powershell_console_file : ["Location of PowerShell console file"] </item>
Users can opt to audit a specific value or have the check report the entire output of the cmdlet being run. When reporting the output of the cmdlet, users have the option to set the severity of the result using the 'severity' tag.
Powershell Auditing Examples
1. Review security patches
<custom_item>
type: AUDIT_POWERSHELL
description: "Show Installed Hotfix"
value_type: POLICY_TEXT
value_data: ""
powershell_args : "get-hotfix | Where-Object {$_.Description -ne ''} | select Description,HotFixID,InstalledBy | format-list"
only_show_cmd_output : YES
severity : LOW
</item>
2. Audit a specific value
<custom_item>
type: AUDIT_POWERSHELL
description: "Audit Service Status"
value_type: POLICY_TEXT
value_data: "Running"
powershell_args : "Get-Service | Where-Object {$_.name -eq 'browser'} | select status"
check_type : CHECK_REGEX
</item>
3. Review system log
<custom_item> type: AUDIT_POWERSHELL description: "Review System Log files " value_type: POLICY_TEXT value_data: "" powershell_args : 'get-eventlog -newest 5 -logname system | format-list' only_show_cmd_output : YES </item>
4. Show power settings
<custom_item> type: AUDIT_POWERSHELL description: "Show Power settings" value_type: POLICY_TEXT value_data: "" powershell_args : 'get-wmiobject -namespace root\\cimv2\\power -class Win32_powerplan | select Description,IsActive | format-list' only_show_cmd_output : YES </item>
5. Run a WMI method
<custom_item> type: AUDIT_POWERSHELL description: "Run WMI method ListWebServiceExtensions() on IIsWebService object" value_type: POLICY_TEXT value_data: "" powershell_args : '(get-WmiObject -namespace root\\MicrosoftIISv2 -Class IIsWebService).ListWebServiceExtensions().Extensions' only_show_cmd_output : YES </item>
6. Get a list of files in a directory
<custom_item> type: AUDIT_POWERSHELL description: "Get list of all files within a directory" value_type: POLICY_TEXT value_data: "" powershell_args : 'Get-ChildItem "C:\\Program Files\\Common Files' only_show_cmd_output : YES </item>
7. Review contents of a file
<custom_item> type : AUDIT_POWERSHELL description : "Review contents of a file" value_type : POLICY_TEXT value_data : "" powershell_option : CAN_BE_NULL powershell_args : "get-content 'D:\Apache2.2\conf\httpd.conf' | \ select-string -pattern '^ *<Directory' -context 0,10" severity : MEDIUM only_show_cmd_output: YES </item>
The listed examples leverage cmdlets typically found in Windows operating systems which supports PowerShell. But, what if we need to audit a product which has its own set of PowerShell cmdlets (e.g., Exchange 2007 or SharePoint 2010)? For such products we need to specify Windows PowerShell Console Files located on the target system. A PowerShell Console File contains properties and registered snap-ins that extend PowerShell’s ability or features. Many of these files also add cmdlets for administering software installed on the system.
An example PowerShell snap-in is Microsoft.Exchange.Management.PowerShell.Admin provided by Microsoft Exchange 2007, which provides useful commands for administering Exchange via PowerShell. By adding support for Powershell Console Files to AUDIT_POWERSHELL, the Windows Compliance Checks plugin can now audit software products like Exchange 2007, SharePoint and others. The “powershell_console_file” keyword can now be used with the AUDIT_POWERSHELL to call a specific PowerShell Console File located on the target system to run various get-* cmdlets, which allows a user to audit the target for compliance.
Exchange Configuration Audit Example #1 – Report Exchange 2007 Server Role:
[root@test]# cat powershell_test.audit <check_type: "Windows" version : "2"> <group_policy: "Example Powershell Console File Audit"> <custom_item> type : AUDIT_POWERSHELL description: "Disable Unnecessary Exchange Services and Roles" value_type : POLICY_TEXT value_data : "" powershell_args: "get-exchangeserver | select identity,serverrole| format-list" only_show_cmd_output: YES powershell_console_file: "C:\Microsoft\Exchange Server\Bin\ExShell.psc1" info: "Review the server's roles and ensure only necessary services are listed." </custom_item> </group_policy> </check_type> [root@test bin]# ./nasl -aXt 192.168.1.2 compliance_check.nbin Windows Compliance Checks, version 2.0.28 Which file contains your security policy : powershell_test.audit SMB login : administrator SMB password : ******** SMB domain (optional) : testdomain "Disable Unnecessary Exchange Services and Roles": [INFO] Review the server's roles and ensure only necessary services are listed. Output : Identity : EdgeExchange ServerRole : Edge
Requirements
- PowerShell must be installed on the target (older OSes do not have it installed by default).
- WMI must be enabled on the target.
- Firewall setting "Windows Firewall: Allow inbound remote administration exception" must be enabled.
- Note: At this time, only get-* cmdlets can be run. Cmdlet aliases (e.g., gwmi) are not supported.
Conclusion
Several compliance audit policies distributed by Tenable are already using the PowerShell functionality described above. For more information, and to download the policies themselves, log in to the Tenable Support Portal and go to the downloads area.
Related Articles
Study: Tenable Offers Fastest, Broadest Coverage of CISA's KEV Catalog
October 23, 2023Tenable ranked first in multiple vulnerability management categories, including the most comprehensive coverage and quickest detection of CISA's Known Exploited Vulnerabilities, according to a Miercom report commissioned by Tenable.
Tuning Network Assessments for Performance and Resource Usage
September 13, 2022Using the correct tool for the job and optimizing scanner placement will have a large impact on scan efficiency with Nessus, Tenable.io and Tenable.sc.
Terrascan Joins the Nessus Community, Enabling Nessus To Validate Modern Cloud Infrastructures
May 17, 2022The addition of Terrascan to the Nessus family of products helps users better secure cloud native infrastructure by identifying misconfigurations, security weaknesses, and policy violations by scanning Infrastructure as Code repositories.
Securing Financial Data in the Cloud: How Tenable Can Help
November 4, 2024Preventing data loss, complying with regulations, automating workflows and managing access are four key challenges facing financial institutions. Learn how Tenable can help.
Cybersecurity Snapshot: Apply Zero Trust to Critical Infrastructure’s OT/ICS, CSA Advises, as Five Eyes Spotlight Tech Startups’ Security
November 1, 2024Should critical infrastructure orgs boost OT/ICS systems’ security with zero trust? Absolutely, the CSA says. Meanwhile, the Five Eyes countries offer cyber advice to tech startups. Plus, a survey finds “shadow AI” weakening data governance. And get the latest on MFA methods, CISO trends and Uncle Sam’s AI strategy.
FY 2024 State and Local Cybersecurity Grant Program Adds CISA KEV as a Performance Measure
October 31, 2024The CISA Known Exploited Vulnerabilities (KEV) catalog and enhanced logging guidelines are among the new measurement tools added for the 2024 State and Local Cybersecurity Grant Program.
- Nessus