Powershell remoting in the enterprise
This presentation is the property of its rightful owner.
Sponsored Links
1 / 23

PowerShell Remoting in the Enterprise PowerPoint PPT Presentation


  • 109 Views
  • Uploaded on
  • Presentation posted in: General

PowerShell Remoting in the Enterprise. What you need to know. Speaker. 9+ years experience in Microsoft-based IT Microsoft System Center 2012 R2 Windows PowerShell since 2007 Started writing VBscript in 2005 Worked in many enterprise environments with 10-70k+ systems. Why use remoting ?.

Download Presentation

PowerShell Remoting in the Enterprise

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Powershell remoting in the enterprise

PowerShell Remoting in the Enterprise

What you need to know.


Speaker

Speaker

  • 9+ years experience in Microsoft-based IT

  • Microsoft System Center 2012 R2

  • Windows PowerShell since 2007

    • Started writing VBscript in 2005

  • Worked in many enterprise environments with 10-70k+ systems


Why use remoting

Why use remoting?

  • Fan-out management of Windows Server systems

  • Desired State Configuration (DSC) in PowerShell v4

  • PowerShell Workflow

  • Interactive remote management (similar to SSH)

  • Quicker than RDP


How does remoting work

How does remoting work?

Client

Server

PowerShell Session

PowerShell Session

PowerShell

PowerShell

Windows Remote Management

Windows Remote Management

HTTP

TCP 5986

TCP 5985

HTTP

Windows

Windows


Remoting configuration

Remoting Configuration

SSL requires a “Server Authentication” certificate

  • Enable-PSRemoting -Force;

  • Set-WsmanQuickConfig -UseSSL;

  • Use Group Policy

Manual Configuration Process


Winrm service gpo configuration

WinRM Service GPO Configuration

Don’t leave listeners blank!


Windows powershell gpo settings

Windows PowerShell GPO Settings

  • Use either:

  • Remote Signed

  • Unrestricted

powershell.exe –ExecutionPolicy Bypass –File c:\path\to\script.ps1


Winrm client configuration

WinRM Client Configuration

  • Authentication

    • Basic

    • Negotiate

    • Kerberos

    • Client certificate mapping

    • Credential Security Support Provider (CredSSP)

  • TrustedHosts

  • DefaultPorts

TrustedHosts is useful in multi-forest, multi-domain, or workgroup environments. Special alias “<local>” for hostnames without dots “.”


Winrm client configuration1

WinRM Client Configuration


Winrm shell configuration

WinRM Shell Configuration

Set-Location –Path wsman:\localhost\shell;

Get-ChildItem;


Windows remote shell gpo configuration

Windows Remote Shell GPO Configuration

Windows Server 2012 Default Values

Quota Management for Remote Shells

http://msdn.microsoft.com/en-us/library/windows/desktop/ee309367(v=vs.85).aspx


Powershell remoting cmdlets

PowerShell Remoting Cmdlets

  • Enter-PSSession

  • New-PSSession

  • Remove-PSSession

  • Connect-PSSession

  • Invoke-Command

  • New-PSSessionConfigurationFile

  • about_Session_Configuration_Files

  • about_Session_Configurations


Cim cmdlets

CIM Cmdlets

Replace the WMI cmdlets in PowerShell v2.

  • Get-CimAssociatedInstance

  • Get-CimClass

  • Get-CimInstance

  • Get-CimSession

  • Invoke-CimMethod

  • New-CimInstance

  • New-CimSession

  • New-CimSessionOption

  • Register-CimIndicationEvent

  • Remove-CimInstance

  • Remove-CimSession

  • Set-CimInstance


Cim session remoting protocols

CIM Session Remoting Protocols


Session configurations

Session Configurations

  • Restrict the commands that can be executed in a remote session

  • Restrict who can access the session configuration

  • Default session configurations can be removed or modified

  • Use Enable-PSRemoting to restore original configurations (after deleting)


Credential security support provider credssp

Credential Security Support Provider (CredSSP)

Server01

Server02

  • Allows double-hop scenario

  • Three types of credentials.PowerShell uses one.

    • Default credential

    • Saved credential

    • Fresh credential

  • Can be configured via GPO

Client01

  • CredSSP PowerShell Commands

  • Get-WSManCredSSP

  • Enable-WSManCredSSP

  • Disable-WSManCredSSP


Credssp group policy configuration

CredSSP Group Policy Configuration


Troubleshooting

Troubleshooting

  • Enable-PSWsmanCombinedTrace;

    • Get-WinEvent –Oldest $PSHome\Traces\pstrace.etl

  • Enable the Microsoft-Windows-WinRM/Operational event log

  • Read the error messages

  • Use Nmap to test ports (http://nmap.org)

    • nmap.exe –p5985,5986 server.domain.com

  • Use netstat –aon to ensure port is listening


Issues

Issues

  • Missing Service Principal Name (SPN) causes CredSSP connections to fail

  • Windows Firewall prevents communication (TCP 5985)

  • Windows Remote Management (WinRM) Listeners are empty in GPO configuration

  • SSL Certificate is expired or has mismatched DNS name in Subject Name field

  • Mismatching certificate thumbprints for WinRM“Service” and “Listener” configurations

    • Get-ChildItem -Path wsman:\localhost\Listeners\<HTTPSListener>;

    • Get-ChildItem –Path wsman:\localhost\service;

    • Remove-Item –Path HKLM:\Software\Microsoft\Windows\CurrentVersion\Wsman\Listener\*+HTTPS:certThumbprint

  • Restart PowerShell after Enable-WSManCredSSP -Role Client;

  • Incorrect permissions on $env:ProgramData\Microsoft\Crypto\RSA\MachineKeys prevents the WinRM service from reading the SSL certificate

  • Windows 2008: Missing Microsoft.PowerShell session configuration (use Enable-PSRemoting to resolve)

  • Use FQDN to connect to remote system with CredSSP or SSL

  • Certificate Revocation List (CRL) is outdated

    • Fix with: certutil.exe –CRL


Limitations

Limitations

  • Starting a remote session from within a remote session

  • Interactive command-line utilities don’t work well under remotingsessions

    • diskpart

    • nslookup

    • psexec

  • CredSSP is required to access network resources from a remote session


Built in variables

Built-in Variables

  • $PSSenderInfo – Use this automatic variable to explore the remote session configuration (authentication type, SSL, etc.)

  • $PSSessionOption – A preference variable that allows you to set the default remote session options


Powershell remoting in the enterprise

[email protected]


  • Login