Why Security Matters
I have been doing some additional training on PowerShell this past week. PowerShell is an open source task automation and management framework created by Microsoft. It is built-in to Windows 10 and can be deployed onto MacOS and Linux platforms as well. There is an interactive Command Line Interface (CLI) for PowerShell which is great for learning about PowerShell. There is also a built-in development app in Windows 10 called PowerShell ISE that can help you pickup on PowerShell fairly quickly.
PowerShell can not only manipulate Desktop OS cross platform but it is also a core technology of Office 365 and any other third party desktop application or cloud based application who’s API’s, that stands for Application Programming Interface, are capable of being manipulated by PowerShell.
For example, I can pull up the PowerShell CLI on my laptop that has never signed into Office 365 before and type in a command to authenticate with an Office 365 tenant. At this point I will be challenged for a username/password which is just someone’s email address and password for their Office 365 account. This is why we are so insistent on our clients setting up Multi-Factor Authentication. This still works with Multi-Factor Authentication turned on, but you need to be able to get past the Multi-Factor Authentication as well as the legacy and mostly insecure username/password.
Whatever level of access the account used has on Office 365 is the level of access the PowerShell script now has. So with Global Admin rights, I can remotely rename a SharePoint Site, Delete a file, Backup Up a file, etc all remotely, all automatically. I can manipulate your Windows, MacOS or Linux devices in the exact same fashion, all remotely and completely autonomously. I do not need an interactive remote session into your device so you cannot see me, or anyone else, doing these things. What we use does generate an audit trail of everything, both interactive sessions as well as fully autonomous scripting so that we can pull up a log of who did what where.
Microsoft, Google and many many others utilize this technology on a consistent and routine basis. This is why I say Microsoft has full admin privileges to every single Windows device on the planet. So does anyone else that you have ever clicked “Yes” to when prompted “Do you want to allow such and such to make changes to your computer?” The very nanosecond you click allow or yes, you have granted full admin rights to something…indefinitely. There are steps that can be taken to remediate this to a degree, but in the end, we prefer to trust nothing and assume everything is a security risk until proven otherwise, even our own automations are subject to being analyzed, scrutinized and categorized.
Our Endpoint Manager uses a combination of PowerShell scripting embedded in another software language called Python to accomplish what it does and also allows us to do some very sophisticated automation scripting on the Endpoints that we manage and monitor. This is how we manage, monitor and control your endpoints as well as push out other applications such as our Client Security agent and Endpoint Detection and Response agent that pay very close attention to what other scripting and automations are occurring on the devices that we manage.
In the simplest, easiest to understand terms, you don’t control your endpoint device. Everyone else does. From Microsoft to Google to us (if you use our services, if not then whoever does manage your devices likely have this level of access through one management tool or another) to the Chinese hackers who’s app you clicked yes on to make changes to your device. So the next time you are asked if you would like to allow a program to make changes to your device, be certain you know what you are granting access to.
There is a sort of spiritual warfare going on behind your screen.