GPO or safest way to disable access to PowerShell for PCs

I want to disable PowerShell access on users' PCs batch by batch rather than across 3000 PCs corporate-wide in one go.

What's the safest / easiest way?  There's a direction in our corporate to mitigate against fileless attacks:

Fileless attacks have gone mainstream. They were one of the fastest growing threats in 2017 and are predicted to grow even more next year. And they're the most dangerous - Ponemon's 2017 State of Endpoint Security Risk study found that more than 75% of successful breaches involve fileless techniques.
What's behind this troubling growth? A new Morphisec report looks at the evolution of this attack trend and examines how malware incorporates fileless techniques to avoid antivirus and NextGen detection tools.
sunhuxAsked:
Who is Participating?
 
btanExec ConsultantCommented:
Actually fileless attack also means the malware is "fully loaded" and not required for the callback to download the lethal payload that will damage the victim machine. The mentioned Powershell attack is just one category to defend against this attack. Collectively you should go for application whitelisting which comes with Applocker or HIPS like McAfee app control.

See the various assessment of potential bypass of HIPS controls. PS script can be excluded from whitelist.
https://kc.mcafee.com/corporate/index?page=content&id=KB86405

See best practice as a whole
Script authorization
Application Control includes a default script interpreter list to whitelist script exclusions. Technical Support recommends that you update the list based on the requirements in your environment. You must evaluate script interpreters (such as PowerShell, Perl, PHP, and Java) and the extensions they support. If any script interpreters are present with no business requirement, Technical Support recommends they be removed from the system or prevented from execution using Application Control constructs.
https://kc.mcafee.com/corporate/index?page=content&id=KB86405
1
 
ferraristaCommented:
Disable access to powershell:

In the Group Policy window for users, on the left-hand side, drill down to User Configuration > Administrative Templates > System > Don’t run specified Windows applications.

In the properties window that opens, click the “Enabled” option and then click the “Show” button.

In the “Show Contents” window add --> powershell.exe
0
 
arnoldCommented:
OU based restriction/application of GPO
One is to use security filter, and specify a test system to which the GPO will apply.
In the absence of OUs, are the systems grouped in a security group that can be used in the security filter to which the GPO will apply?
0
 
btanExec ConsultantCommented:
For author advice.
0
 
btanExec ConsultantCommented:
For consideration as advised to tap more on the HIPS capabilities.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.