The reason why you should remove or disable it is basically, it's old.
And old in computercountry doesn't work well when it comes to security.
Another reason to remove it is because PowerShell V2.0 can be used for lateral movement and persistence techniques with the same functionality. PowerShell V2.0’s extra value is that because it does not have native logging capabilities, it remains undetected and offers stealth in attacker operations.
PowerShell V2.0 was first seen on Windows XP and Server 2003 then on Vista and 7, Server 2008. When Windows PowerShell 3.0 was released as part of Windows 8, Server 2008 R2, and WMF 3.0, Windows PowerShell moved to a newer version of the .NET Framework (CLR4) that was not compatible older applications. In order to maintain backwards compatibility with these older applications, Microsoft kept Windows PowerShell 2.0 as an optional, side-by-side component in later versions of Windows and Windows Server.
As PowerShell Core 6.0 (and PowerShell 7 is in development) enters the marketplace, Microsoft will reduce the complexity of the PowerShell ecosystem. Removing an outdated version of .NET from the equation makes development easier for cmdlet and script authors by focusing on the .NET Standard ecosystem that includes only .NET Framework 4.6+ and .NET Core 2.0.
You can check whether Windows PowerShell 2.0 is installed by running the following (as an administrator).
On Windows 7/8.1/10, the following will return a State as either Enabled or Disabled:
Get-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2
On Windows Server, the following will return an InstallState of either Installed or Removed:
Get-WindowsFeature PowerShell-V2
To disable PowerShell V2.0 run PowerShell with elevated privileges (run as administrator).
Enter the following:
Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root
This command should disable both "MicrosoftWindowsPowerShellV2Root" and "MicrosoftWindowsPowerShellV2" which correspond to "Windows PowerShell 2.0" and "Windows PowerShell 2.0 Engine" respectively in "Turn Windows features on or off".
No comments:
Post a Comment