Proposal: Create a new Defender policy to disable PowerShell access to inboxes from non-administrative users

[tkol2022]

💡 Summary

This is a new Defender policy proposal that can be voted on by the team thanks to @buidav who mentioned that we received this during the request for comment period. It is dependent on hands-on prototyping to understand how the feature works in practice to determine its feasibility for Scuba. This may also be dependent on ScubaGear implementing per-user checks which is currently being investigated.

The suggestion is to create a new policy to disable PowerShell access to inboxes from non-administrative users. Presumably this would be to limit the attack paths that a compromised user may be susceptible to and increase the difficulty in performing email attacks.

https://learn.microsoft.com/en-us/powershell/exchange/disable-access-to-exchange-online-powershell?view=exchange-ps#view-the-exchange-online-powershell-access-status-for-users

Caveats to be considered during the investigation and discussion:

• If this is implemented for a specific user, can the cyber attacker still use an alternative API (e.g. MS Graph) to access the target mailbox? If yes, then I might not consider this a strong candidate for a policy since its impact to a cyber attack seems limited.
• We should define the specific attack techniques that are mitigated by disabling PowerShell access. Part of this is determining specifically who a non-administrative user refers to. Is a non-administrative user someone that doesn't have the Exchange Administrator role? This will help determine the impact on specific attack paths that an adversary may execute.

Motivation and context

Continuously enhancing the baselines to cover more risks is always a welcome addition.