PowerShell Remoting
Download
Report
Transcript PowerShell Remoting
PowerShell Remoting in
the Enterprise
What you need to know.
Speaker
9+ years experience in Microsoft-based IT
Microsoft System Center 2012 R2
Windows PowerShell since 2007
Started writing VBscript in 2005
Worked in many enterprise environments with 10-70k+ systems
Why use remoting?
Fan-out management of Windows Server systems
Desired State Configuration (DSC) in PowerShell v4
PowerShell Workflow
Interactive remote management (similar to SSH)
Quicker than RDP
How does remoting work?
Client
Server
PowerShell
Session
PowerShell
Session
PowerShell
PowerShell
Windows
Remote
Management
Windows
Remote
Management
HTTP
Windows
TCP
5986
TCP
5985
HTTP
Windows
Remoting Configuration
Enable-PSRemoting -Force;
Set-WsmanQuickConfig -UseSSL;
Use Group Policy
SSL requires a “Server
Authentication” certificate
Manual Configuration Process
Configure
certificate template
Configure GPO for
autoenrollment
Enable-PSRemoting
SetWSManQuickConfig
EnableWSManCredSSP
WinRM Service GPO Configuration
Don’t leave listeners blank!
Windows PowerShell GPO Settings
Use either:
• Remote Signed
• Unrestricted
powershell.exe –ExecutionPolicy Bypass –File c:\path\to\script.ps1
WinRM Client Configuration
Authentication
Basic
Negotiate
Kerberos
Client certificate mapping
Credential Security Support Provider (CredSSP)
TrustedHosts
DefaultPorts
TrustedHosts is useful in multi-forest,
multi-domain, or workgroup
environments. Special alias “<local>”
for hostnames without dots “.”
WinRM Client Configuration
WinRM Shell Configuration
Setting
Purpose
MaxShellsPerUser
Limits the number of remote shells per authenticated user
MaxConcurrentUsers
Limits the number of simultaneously connected users
MaxShellRunTime
Limits the maximum time period that a session can exist
MaxMemoryPerShellMB The maximum memory that each remoting session can use
MaxProcessesPerShell
The maximum number of child processes that a single
remote shell can have
IdleTimeout
The idle timeout for a shell (think RDP)
Set-Location –Path wsman:\localhost\shell;
Get-ChildItem;
Windows Remote Shell GPO
Configuration
Windows Server 2012 Default Values
Setting
Value
Idle Timeout
7200000
Max Concurrent Users
10
Max Shell Runtime
2147483647
Max Processes Per Shell 25
Max Memory Per Shell
1024 (MB)
Max Shells Per User
30
Quota Management for Remote Shells
http://msdn.microsoft.com/en-us/library/windows/desktop/ee309367(v=vs.85).aspx
PowerShell Remoting Cmdlets
Enter-PSSession
New-PSSession
Remove-PSSession
Connect-PSSession
Invoke-Command
New-PSSessionConfigurationFile
about_Session_Configuration_Files
about_Session_Configurations
CIM Cmdlets
Get-CimAssociatedInstance
Get-CimClass
Get-CimInstance
Get-CimSession
Invoke-CimMethod
New-CimInstance
New-CimSession
New-CimSessionOption
Register-CimIndicationEvent
Remove-CimInstance
Remove-CimSession
Set-CimInstance
Replace the
WMI cmdlets in
PowerShell v2.
CIM Session Remoting Protocols
DCOM/RPC
Uses a dynamic port range
Not “firewall friendly”
Is not standards-based
WinRM
Uses a common, single, static port
Is standards-based
Session Configurations
Restrict the commands that can be executed in a remote session
Restrict who can access the session configuration
Default session configurations can be removed or modified
Use Enable-PSRemoting to restore original configurations (after deleting)
Credential Security Support Provider
(CredSSP)
Allows double-hop scenario
Three types of credentials.
PowerShell uses one.
Default credential
Saved credential
Fresh credential
Server01
Server02
Client01
Can be configured via GPO
CredSSP PowerShell Commands
• Get-WSManCredSSP
• Enable-WSManCredSSP
• Disable-WSManCredSSP
CredSSP Group Policy Configuration
Troubleshooting
Enable-PSWsmanCombinedTrace;
Get-WinEvent –Oldest $PSHome\Traces\pstrace.etl
Enable the Microsoft-Windows-WinRM/Operational event log
Read the error messages
Use Nmap to test ports (http://nmap.org)
nmap.exe –p5985,5986 server.domain.com
Use netstat –aon to ensure port is listening
Issues
Missing Service Principal Name (SPN) causes CredSSP connections to fail
Windows Firewall prevents communication (TCP 5985)
Windows Remote Management (WinRM) Listeners are empty in GPO configuration
SSL Certificate is expired or has mismatched DNS name in Subject Name field
Mismatching certificate thumbprints for WinRM “Service” and “Listener” configurations
Get-ChildItem -Path wsman:\localhost\Listeners\<HTTPSListener>;
Get-ChildItem –Path wsman:\localhost\service;
Remove-Item –Path HKLM:\Software\Microsoft\Windows\CurrentVersion\Wsman\Listener\*+HTTPS:certThumbprint
Restart PowerShell after Enable-WSManCredSSP -Role Client;
Incorrect permissions on $env:ProgramData\Microsoft\Crypto\RSA\MachineKeys prevents the WinRM service from reading the SSL certificate
Windows 2008: Missing Microsoft.PowerShell session configuration (use Enable-PSRemoting to resolve)
Use FQDN to connect to remote system with CredSSP or SSL
Certificate Revocation List (CRL) is outdated
Fix with: certutil.exe –CRL
Limitations
Starting a remote session from within a remote session
Interactive command-line utilities don’t work well under remoting sessions
diskpart
nslookup
psexec
CredSSP is required to access network resources from a remote session
Built-in Variables
$PSSenderInfo – Use this automatic variable to explore the remote session
configuration (authentication type, SSL, etc.)
$PSSessionOption – A preference variable that allows you to set the default
remote session options
[email protected]