Disable These 3 Windows Settings Now! (For Security)
483,693
Published 2023-08-23
⇒ Become a channel member for special emojis, early videos, and more! Check it out here: youtube.com/ThioJoe/join
Commands Mentioned:
• Get Language Mode: $ExecutionContext.SessionState.LanguageMode
• Environment Variable Name: __PSLockDownPolicy (Note: You will need to open a new PowerShell window to see if it applied)
Mentioned Links:
• Policy Plus: github.com/Fleex255/PolicyPlus
• PowerShell 7: github.com/PowerShell/PowerShell
• Microsoft Language Mode Article: learn.microsoft.com/en-us/powershell/module/micros…
▼ Time Stamps: ▼
0:00 - Why Though?
1:00 - What We'll Be Doing
1:46 - Remove PowerShell 2.0
2:22 - Constrained Language Mode
4:22 - About Execution Policy
5:41 - Setting Up Execution Policy
8:28 - PowerShell 7 Execution Policy
9:27 - Setting PowerShell 7 Policy
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
Merch ⇨ teespring.com/stores/thiojoe
⇨ Instagram.com/ThioJoe
⇨ Twitter.com/ThioJoe
⇨ Facebook.com/ThioJoeTV
My Gear & Equipment ⇨ kit.co/ThioJoe
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
All Comments (21)
-
Also this should work on both Windows 10 and 11
-
It needs to be said that the Constrained Language will have a large impact on your system ability to run legitimate powershell scripts. I really don't advise this option at all. You should only do this on dedicated computer systems where you know Powershell is not being used as a means to install or manage software or the system itself. This option will otherwise break tools like Chocolatey, the SQL Server installation process, and a lot more. Don't do this on your daily usage computer. There is a lot of Windows software out there that relies on Powershell features for its own maintenance or installation processes.
-
Thio never dissapoints
-
Thio never disapponts at making me tired by waking me up at 3 am
-
One of the best things you can do is enable logging for PowerShell, which is disabled by default for some unholy reason. That way when someone does get past any blocks you set up you or someone else can go back and see what was done.
-
Very useful information. I wish Microsoft took Windows security more seriously. Like why have Powershell 2.0 even enabled by default? Anyone who needs it can just enable it on their own. Massive security risk.
-
Thio Joe may not be a driver, but he never fails to deliver 💯💯💥💯
-
Very nice. I've been a programmer for 40 years now and this is something I didn't know. I am retired now so I am not as up to date as I used to be when working in the IT environment.
-
Method 2, Microsoft's comment: "As part of the implementation of Constrained Language, PowerShell included an environment variable for debugging and unit testing called __PSLockdownPolicy. While we have never documented this, some have discovered it and described this as an enforcement mechanism. This is unwise because an attacker can easily change the environment variable to remove this enforcement. In addition, there are also file naming conventions that enable FullLanguage mode on a script, effectively bypassing Constrained Language."
-
Nice security tips! I wasn't aware of these settings. Thanks!
-
If only Microsoft had somebody like ThioJoe on the team...
-
This is so good! Easy to follow video and thanks for the tips. <3
-
Mate great community service and well instructed! Thanks
-
Thx Thio, this was very helpful. A small adjustment with potential big headache savings. You move so fast on your How To Step by Step. I had to pause your instruction several times.
-
Nice segment. Thank you for posting!
-
Thanks!! Love you videos and your delivery and technique is awesome. Keep up the great work.
-
For many years now I've woken up to youtube autoplaying ThioJoe videos. This time no different, I started watching Warhammer videos, fell asleep and now woke up to the voice of Thio. It's almost nostalgic and homely at the same time. Great video as always, will need to check these tips out.
-
Great info! You should do a video on the Microsoft Security Baselines sometime; they have an extensive inventory of useful settings like this and they're from Microsoft themselves. Lots of companies use these as a starting point for securing corporate devices.
-
Well delivered and concise, thanks Thio
-
Mister ThioJoe , Thanks You for taking all this time to do theses videos and share them with us. You explain really well , with clarity and visual and thats from my perspective....the best way to do it. Hope you receive all the best in you're life my friend.