GPO or safest way to disable access to PowerShell for PCs

I want to disable PowerShell access on users' PCs batch by batch rather than across 3000 PCs corporate-wide in one go.

What's the safest / easiest way?  There's a direction in our corporate to mitigate against fileless attacks:

Fileless attacks have gone mainstream. They were one of the fastest growing threats in 2017 and are predicted to grow even more next year. And they're the most dangerous - Ponemon's 2017 State of Endpoint Security Risk study found that more than 75% of successful breaches involve fileless techniques.
What's behind this troubling growth? A new Morphisec report looks at the evolution of this attack trend and examines how malware incorporates fileless techniques to avoid antivirus and NextGen detection tools.
sunhuxAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ferraristaCommented:
Disable access to powershell:

In the Group Policy window for users, on the left-hand side, drill down to User Configuration > Administrative Templates > System > Don’t run specified Windows applications.

In the properties window that opens, click the “Enabled” option and then click the “Show” button.

In the “Show Contents” window add --> powershell.exe
0
arnoldCommented:
OU based restriction/application of GPO
One is to use security filter, and specify a test system to which the GPO will apply.
In the absence of OUs, are the systems grouped in a security group that can be used in the security filter to which the GPO will apply?
0
btanExec ConsultantCommented:
Actually fileless attack also means the malware is "fully loaded" and not required for the callback to download the lethal payload that will damage the victim machine. The mentioned Powershell attack is just one category to defend against this attack. Collectively you should go for application whitelisting which comes with Applocker or HIPS like McAfee app control.

See the various assessment of potential bypass of HIPS controls. PS script can be excluded from whitelist.
https://kc.mcafee.com/corporate/index?page=content&id=KB86405

See best practice as a whole
Script authorization
Application Control includes a default script interpreter list to whitelist script exclusions. Technical Support recommends that you update the list based on the requirements in your environment. You must evaluate script interpreters (such as PowerShell, Perl, PHP, and Java) and the extensions they support. If any script interpreters are present with no business requirement, Technical Support recommends they be removed from the system or prevented from execution using Application Control constructs.
https://kc.mcafee.com/corporate/index?page=content&id=KB86405
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
For author advice.
0
btanExec ConsultantCommented:
For consideration as advised to tap more on the HIPS capabilities.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Vulnerabilities

From novice to tech pro — start learning today.