News

PowerShell 2.0, Other Features Get Cut from Fall Windows 10 Update

• By Kurt Mackie
• July 25, 2017

Microsoft recently posted a list of features that will get removed or deprecated in the Windows 10 "Fall Creators Update" that's expected to arrive in September or October.

According to a support document dated July 20, Microsoft is removing some outdated Trusted Platform Module code, and TLS RC4 ciphers are getting deprecated. Microsoft also indicated that the deployment of Windows Hello, its biometric authentication capability for Windows 10, should be done via the Registration Authority of Active Directory Federation Services, rather than via System Center Configuration Manager (an approach that's being deprecated).

Microsoft's System Image Backup solution is getting deprecated ("use full-disk backup solutions from other vendors," Microsoft recommended). The Syskey.exe security feature is also getting removed in favor of using the BitLocker disk encryption tool.

Other removed or deprecated solutions include IIS 6 management tools, Outlook Express, the Reader app, the 3D Builder app and the venerable Microsoft Paint program. In the case of Microsoft Paint, it's becoming a free Windows Store app.

The Enhanced Mitigation Experience Toolkit (EMET) is described as being "removed" from the Windows 10 Fall Creators Update, but it's actually being moved to the new "Windows Defender Exploit Guard" feature that's coming with the Fall Creators Update.

PowerShell as Security Hole
Another notable feature that is being deprecated in the Fall Creators Update is Windows Power Shell 2.0, which will continue to work, but won't get patched. Instead, Microsoft wants organizations to shift to using PowerShell 5.0, or newer versions.

Jeffrey Snover, a Microsoft Technical Fellow and the "father" of PowerShell, had few tears to shed over the impending demise of Windows PowerShell 2.0. In a Twitter post, he advised moving to new versions of PowerShell:

"PowerShell V2 is being deprecated (and that is a very good thing). If you still use V2, upgrade now to avoid drama."

The rationale is that Windows PowerShell 2.0 currently lacks security protections that have been built into later versions, particularly PowerShell 5.0. Snover didn't elaborate on those details, but others, such as Sean Metcalf, a Microsoft Certified Master for Directory Services, have suggested that Windows PowerShell 5.0 has made it harder to carry out exploits. IT pros can now log PowerShell activity with version 5.0 to detect attacks, for instance, he noted.

PowerShell is the "evil armyknife for the blackhats out there," said David das Neves, a premier field engineer for Microsoft Germany. However, he advised against deactivating PowerShell. Instead, he offered some security best practices in this May blog post.

PowerShell Security Tips
It's possible for attackers to invoke Windows PowerShell 2.0 if it's installed in a computing environment. Attackers could use that approach to cover their tracks since Windows PowerShell 2.0 lacks logging capabilities. One solution is to just turn off Windows PowerShell 2.0 in Windows 10 from the Windows Features menu, if that's possible for organizations to do.

Other security approaches take a greater investment of time and expertise, according to das Neves. His advice quickly shifted from disabling PowerShell 2.0 to implementing the entire Windows 10 security stack.

Organizations can create separate admin accounts for administrative tasks. They can remove unnecessary administrators. Just Enough Administration (JEA), a PowerShell administrative scheme, can be used to permit access to certain tasks without granting full administrator privileges. Organizations can use certain other Microsoft security technologies, such as Shielded Virtual Machines that prevent the copying of VM files, or Credential Guard, which adds protections against pass-the-hash types of attacks.

It's possible to use the ConstrainedLanguageMode with Windows PowerShell 5.0 to ward off credential leaks on Windows 7 devices, which is done using either AppLocker or Device Guard. The Anti-Malware Scan Interface (AMSI) can be used to evaluate if scripts are potentially harmful. Windows Defender, the anti-malware solution that's built into Windows 10, supports AMSI "out of the box," das Neves explained.

He also recommended using Windows Defender Advanced Threat Protection as a forensic tool to detect attacks. Users can turn on ScriptBlockLogging to log the actual code that was used during an attack.

In general, das Neves recommended modernizing the software environment, limiting administrative access privileges and disabling PowerShell 2.0 as necessary steps to limit the potential for abuse by attackers.