3.11.54.1 (L1) Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled'

Information

This policy setting enables logging of all PowerShell script input to the Applications and Services Logs\Microsoft\Windows\PowerShell\Operational Event Log channel.

The recommended state for this setting is: Enabled

Note: If logging of

Script Block Invocation Start/Stop Events

is enabled (option box checked), PowerShell will log additional events when invocation of a command, script block, function, or script starts or stops. Enabling this option generates a high volume of event logs. CIS has intentionally chosen not to make a recommendation for this option, since it generates a large volume of events. If an organization chooses to enable the optional setting (checked), this also conforms to the benchmark.

Logs of PowerShell script input can be very valuable when performing forensic investigations of PowerShell attack incidents to determine what occurred.

Solution

To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled

Administrative Templates\Windows Components\Windows PowerShell\Turn on PowerShell Script Block Logging

Impact:

PowerShell script input will be logged to the Applications and Services Logs\Microsoft\Windows\PowerShell\Operational Event Log channel, which can contain credentials and sensitive information.

Warning: There are potential risks of capturing credentials and sensitive information in the PowerShell logs, which could be exposed to users who have read-access to those logs. Microsoft provides a feature called 'Protected Event Logging' to better secure event log data. For assistance with protecting event logging, visit:

About Logging Windows - PowerShell | Microsoft Docs

.

See Also

https://workbench.cisecurity.org/benchmarks/16853

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-2, CSCv7|8.8

Plugin: Windows

Control ID: b46203b281230df7a248a9c1dd26cd81c65b81b53d8e1dae9271fc0a5dcf3c7f