I am doing research to tighten security. Is there a preferred way to monitor and log PSRemote connections to servers and workstations?
This depends on what OS and PowerShell version are deployed in your environment. On Windows Server latest versions, you can set this Group Policy. On earlier versions it's a bit more of a challenge. There is per module logging, locally enabled this way, at the PowerShell ISE, PowerShell console host. Import-Module -Name ActiveDirectory (Get-Module ActiveDirectory).LogPipelineExecutionDetails = $true Running AD commands get logged to the PowerShell Event log. Open Event Viewer from the Tools menu in Server Manager and expand Applications and Services Log, Microsoft, Windows, and PowerShell, then select the Operational log. GPO (local machine or domain-wide) settings. Enter the modules you want log info on On Domain Controller or local machines you can use the Group Policy Editor as well to set settings. Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell Here you'll find 5 options Turn On Module Turn On PowerShell Script Block Logging Turn On Script Execution Turn On PowerShell Transcription Set the default source path for Update-Help Enable what you wish. At a minimum for this list, Turn On Module logging with these settings... Microsoft.PowerShell.* Microsoft.WSMan.Management ActiveDirectory etc... Then... Turn On PowerShell Script Block Logging Turn On PowerShell Transcription You can actually set a specific remote UNC path for all transcript files but you have to ensure it is always available, or user using cmdlets / scripts will have errors. Otherwise, you allow it to log on each local machine and use a nother script or tool to collect logs to a central server for your to review. Here is a set of articles on the topic, Ive shared with others to date: PowerShell Security at Enterprise Customers 'blogs.msdn.microsoft.com/daviddasneves/2017/05/25/powershell-security-at-enterprise-customers' PowerShell ♥ the Blue Team 'blogs.msdn.microsoft.com/powershell/2015/06/09/powershell-the-blue-team Practical PowerShell Security: Enable Auditing and Logging with DSC 'blogs.technet.microsoft.com/ashleymcglone/2017/03/29/practical-powershell-security-enable-auditing-and-logging-with-dsc' PowerShell Security: PowerShell Attack Tools, Mitigation, & Detection 'adsecurity.org/?tag=powershell-logging-group-policy' Investigating PowerShell: Command and Script Logging 'crowdstrike.com/blog/investigating-powershell-command-and-script-logging' Greater Visibility Through PowerShell Logging 'fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html' More New Stuff in PowerShell V5: Extra PowerShell Auditing 'learn-powershell.net/2014/08/26/more-new-stuff-in-powershell-v5-extra-powershell-auditing'
Powered by IDERA