Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-253285 | WN11-00-000155 | SV-253285r958478_rule | Medium |
Description |
---|
Windows PowerShell 5.0 added advanced logging features which can provide additional detail when malware has been run on a system. Disabling the Windows PowerShell 2.0 mitigates against a downgrade attack that evades the Windows PowerShell 5.0 script block logging feature. |
STIG | Date |
---|---|
Microsoft Windows 11 Security Technical Implementation Guide | 2024-06-10 |
Check Text ( C-56738r828937_chk ) |
---|
Run "Windows PowerShell" with elevated privileges (run as administrator). Enter the following: Get-WindowsOptionalFeature -Online | Where FeatureName -like *PowerShellv2* If either of the following have a "State" of "Enabled", this is a finding. FeatureName : MicrosoftWindowsPowerShellV2 State : Enabled FeatureName : MicrosoftWindowsPowerShellV2Root State : Enabled Alternately: Search for "Features". Select "Turn Windows features on or off". If "Windows PowerShell 2.0" (whether the subcategory of "Windows PowerShell 2.0 Engine" is selected or not) is selected, this is a finding. |
Fix Text (F-56688r828938_fix) |
---|
Disable "Windows PowerShell 2.0" on the system. Run "Windows PowerShell" with elevated privileges (run as administrator). Enter the following: Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root This command must disable both "MicrosoftWindowsPowerShellV2Root" and "MicrosoftWindowsPowerShellV2" which correspond to "Windows PowerShell 2.0" and "Windows PowerShell 2.0 Engine" respectively in "Turn Windows features on or off". Alternately: Search for "Features". Select "Turn Windows features on or off". De-select "Windows PowerShell 2.0". |