Hardening Script Block Logging

by Sep 27, 2018

By default, script block logging data is open to anyone, not just Administrators. When script block logging is enabled, any user can access the log and read its content. The easiest way would probably be to download tools and use a one-liner:

Install-Module -Name scriptblocklogginganalyzer -Scope CurrentUser
Get-SBLEvent | Out-GridView

There are ways to harden the script block log, and make sure only Administrators can read this log. Run this to change access permissions to Administrators only:

#requires -RunAsAdministrator

$Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\winevt\Channels\Microsoft-Windows-PowerShell/Operational"
# get the default access permission for the standard security log...
$sddlSecurity = ((wevtutil gl security) -like 'channelAccess*').Split(' ')[-1]
# get the current permissions
$sddlPowerShell = (Get-ItemProperty -Path $Path).ChannelAccess
# make a backup of the current permissions
New-ItemProperty -Path $Path -Name ChannelAccessBackup -Value $sddlPowerShell -ErrorAction Ignore
# apply the hardened permissions
Set-ItemProperty -Path $Path -Name ChannelAccess -Value $sddlSecurity
# restart service to take effect
Restart-Service -Name EventLog -Force

Now, when a regular user tries to read the script block logging log, no information is returned.

Twitter This Tip! ReTweet this Tip!