As part of the recent CVE disclosure CVE 2018-16859 we have come up with a playbook that can clear existing log entries as well as restrict the users who can view the PowerShell operational logs. While the CVE has been remediated in the latest release of Ansible, if you are running PowerShell v5+ or have explicitly enabled module logging then it would still be beneficial to secure the logs further.
The repo at https://github.com/jborean93/ansible-windows/tree/master/playbooks/secure-ps-logging contains a playbook that can be run on any Windows host to clear the existing logs and restrict users who have read access. Once run it will restrict the event log ‘Microsoft-Windows-PowerShell/Operational’ to the following users;
- SYSTEM: Will have STANDARD_RIGHTS_REQUIRED, Read, and Clear rights
- BUILTIN\Administrators: Will have Read and Clear rights
- EVENT_LOG_READERS: Will only have Read rights
This is the same level of access as the ‘Security’ event log and will stop standard users from being able to read the log entries without elevating their privileges.
Changing these permissions will not mean that the logging is disabled, it will just restrict who can read the logs to a more privileged selection. You can find out more about securing the PowerShell operational logs by reading through https://blogs.technet.microsoft.com/kfalde/2017/05/13/securing-your-powershell-operational-logs/.
Thanks
Jordan