Monitoring remote connections

I am doing research to tighten security. Is there a preferred way to monitor and log PSRemote connections to servers and workstations? 

Parents
No Data
Reply
  • This depends on what OS and PowerShell version are deployed in your environment.
    On Windows Server latest versions, you can set this Group Policy.
    On earlier versions it's a bit more of a challenge.

    There is per module logging, locally enabled this way, at the PowerShell ISE, PowerShell console host.

    Import-Module -Name ActiveDirectory
    (Get-Module ActiveDirectory).LogPipelineExecutionDetails = $true

    Running AD commands get logged to the PowerShell Event log.

    Open Event Viewer from the Tools menu in Server Manager and expand
    Applications and Services Log, Microsoft, Windows, and PowerShell, then select
    the Operational log.

    GPO (local machine or domain-wide) settings.
    Enter the modules you want log info on

    On Domain Controller or local machines you can use the Group Policy Editor as well to set settings.

    Computer Configuration >
    Administrative Templates >
    Windows Components >
    Windows PowerShell

    Here you'll find 5 options

    Turn On Module
    Turn On PowerShell Script Block Logging
    Turn On Script Execution
    Turn On PowerShell Transcription
    Set the default source path for Update-Help

    Enable what you wish.



    At a minimum for this list,

    Turn On Module logging with these settings...

    Microsoft.PowerShell.*
    Microsoft.WSMan.Management
    ActiveDirectory
    etc...

    Then...

    Turn On PowerShell Script Block Logging
    Turn On PowerShell Transcription

    You can actually set a specific remote UNC path for all transcript files but you have
    to ensure it is always available, or user using cmdlets / scripts will have
    errors.

    Otherwise, you allow it to log on each local machine and use a nother script
    or tool to collect logs to a central server for your to review.

    Here is a set of articles on the topic, Ive shared with others to date:

    PowerShell Security at Enterprise Customers
    'blogs.msdn.microsoft.com/daviddasneves/2017/05/25/powershell-security-at-enterprise-customers'

    PowerShell ♥ the Blue Team
    'blogs.msdn.microsoft.com/powershell/2015/06/09/powershell-the-blue-team

    Practical PowerShell Security: Enable Auditing and Logging with DSC
    'blogs.technet.microsoft.com/ashleymcglone/2017/03/29/practical-powershell-security-enable-auditing-and-logging-with-dsc'

    PowerShell Security: PowerShell Attack Tools, Mitigation, & Detection
    'adsecurity.org/?tag=powershell-logging-group-policy'

    Investigating PowerShell: Command and Script Logging
    'crowdstrike.com/blog/investigating-powershell-command-and-script-logging'

    Greater Visibility Through PowerShell Logging
    'fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html'

    More New Stuff in PowerShell V5: Extra PowerShell Auditing
    'learn-powershell.net/2014/08/26/more-new-stuff-in-powershell-v5-extra-powershell-auditing'

Children
No Data