Microsoft Windows 10

The Windows PowerShell 2.0 feature must be disabled on the system

STIG ID: WN10-00-000155 | SRG: SRG-OS-000095-GPOS-00049 | Severity: Medium | CCI: CCI-000381 | Vulnerability ID: V-220728

Description

Windows PowerShell 5.0 added advanced logging features which can provide additional detail when malware has been run on a system. Disabling the Windows PowerShell 2.0 mitigates against a downgrade attack that evades the Windows PowerShell 5.0 script block logging feature.

Check

C-22443r554669_chk

Run "Windows PowerShell" with elevated privileges (run as administrator).Enter the following:Get-WindowsOptionalFeature -Online | Where FeatureName -like *PowerShellv2*If either of the following have a "State" of "Enabled", this is a finding.FeatureName : MicrosoftWindowsPowerShellV2State : EnabledFeatureName : MicrosoftWindowsPowerShellV2RootState : EnabledAlternately:Search for "Features".Select "Turn Windows features on or off".If "Windows PowerShell 2.0" (whether the subcategory of "Windows PowerShell 2.0 Engine" is selected or not) is selected, this is a finding.

Fix

F-22432r554670_fix

Disable "Windows PowerShell 2.0" on the system.Run "Windows PowerShell" with elevated privileges (run as administrator).Enter the following:Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2RootThis command should disable both "MicrosoftWindowsPowerShellV2Root" and "MicrosoftWindowsPowerShellV2" which correspond to "Windows PowerShell 2.0" and "Windows PowerShell 2.0 Engine" respectively in "Turn Windows features on or off".Alternately:Search for "Features".Select "Turn Windows features on or off".De-select "Windows PowerShell 2.0".