Powershell remoting in the enterprise
Download
1 / 23

PowerShell Remoting in the Enterprise - PowerPoint PPT Presentation


  • 169 Views
  • Uploaded on

PowerShell Remoting in the Enterprise. What you need to know. Speaker. 9+ years experience in Microsoft-based IT Microsoft System Center 2012 R2 Windows PowerShell since 2007 Started writing VBscript in 2005 Worked in many enterprise environments with 10-70k+ systems. Why use remoting ?.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' PowerShell Remoting in the Enterprise' - alaire


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Speaker
Speaker

  • 9+ years experience in Microsoft-based IT

  • Microsoft System Center 2012 R2

  • Windows PowerShell since 2007

    • Started writing VBscript in 2005

  • Worked in many enterprise environments with 10-70k+ systems


Why use remoting
Why use remoting?

  • Fan-out management of Windows Server systems

  • Desired State Configuration (DSC) in PowerShell v4

  • PowerShell Workflow

  • Interactive remote management (similar to SSH)

  • Quicker than RDP


How does remoting work
How does remoting work?

Client

Server

PowerShell Session

PowerShell Session

PowerShell

PowerShell

Windows Remote Management

Windows Remote Management

HTTP

TCP 5986

TCP 5985

HTTP

Windows

Windows


Remoting configuration
Remoting Configuration

SSL requires a “Server Authentication” certificate

  • Enable-PSRemoting -Force;

  • Set-WsmanQuickConfig -UseSSL;

  • Use Group Policy

Manual Configuration Process


Winrm service gpo configuration
WinRM Service GPO Configuration

Don’t leave listeners blank!


Windows powershell gpo settings
Windows PowerShell GPO Settings

  • Use either:

  • Remote Signed

  • Unrestricted

powershell.exe –ExecutionPolicy Bypass –File c:\path\to\script.ps1


Winrm client configuration
WinRM Client Configuration

  • Authentication

    • Basic

    • Negotiate

    • Kerberos

    • Client certificate mapping

    • Credential Security Support Provider (CredSSP)

  • TrustedHosts

  • DefaultPorts

TrustedHosts is useful in multi-forest, multi-domain, or workgroup environments. Special alias “<local>” for hostnames without dots “.”


Winrm client configuration1
WinRM Client Configuration


Winrm shell configuration
WinRM Shell Configuration

Set-Location –Path wsman:\localhost\shell;

Get-ChildItem;


Windows remote shell gpo configuration
Windows Remote Shell GPO Configuration

Windows Server 2012 Default Values

Quota Management for Remote Shells

http://msdn.microsoft.com/en-us/library/windows/desktop/ee309367(v=vs.85).aspx


Powershell remoting cmdlets
PowerShell Remoting Cmdlets

  • Enter-PSSession

  • New-PSSession

  • Remove-PSSession

  • Connect-PSSession

  • Invoke-Command

  • New-PSSessionConfigurationFile

  • about_Session_Configuration_Files

  • about_Session_Configurations


Cim cmdlets
CIM Cmdlets

Replace the WMI cmdlets in PowerShell v2.

  • Get-CimAssociatedInstance

  • Get-CimClass

  • Get-CimInstance

  • Get-CimSession

  • Invoke-CimMethod

  • New-CimInstance

  • New-CimSession

  • New-CimSessionOption

  • Register-CimIndicationEvent

  • Remove-CimInstance

  • Remove-CimSession

  • Set-CimInstance



Session configurations
Session Configurations

  • Restrict the commands that can be executed in a remote session

  • Restrict who can access the session configuration

  • Default session configurations can be removed or modified

  • Use Enable-PSRemoting to restore original configurations (after deleting)


Credential security support provider credssp
Credential Security Support Provider (CredSSP)

Server01

Server02

  • Allows double-hop scenario

  • Three types of credentials.PowerShell uses one.

    • Default credential

    • Saved credential

    • Fresh credential

  • Can be configured via GPO

Client01

  • CredSSP PowerShell Commands

  • Get-WSManCredSSP

  • Enable-WSManCredSSP

  • Disable-WSManCredSSP


Credssp group policy configuration
CredSSP Group Policy Configuration


Troubleshooting
Troubleshooting

  • Enable-PSWsmanCombinedTrace;

    • Get-WinEvent –Oldest $PSHome\Traces\pstrace.etl

  • Enable the Microsoft-Windows-WinRM/Operational event log

  • Read the error messages

  • Use Nmap to test ports (http://nmap.org)

    • nmap.exe –p5985,5986 server.domain.com

  • Use netstat –aon to ensure port is listening


Issues
Issues

  • Missing Service Principal Name (SPN) causes CredSSP connections to fail

  • Windows Firewall prevents communication (TCP 5985)

  • Windows Remote Management (WinRM) Listeners are empty in GPO configuration

  • SSL Certificate is expired or has mismatched DNS name in Subject Name field

  • Mismatching certificate thumbprints for WinRM“Service” and “Listener” configurations

    • Get-ChildItem -Path wsman:\localhost\Listeners\<HTTPSListener>;

    • Get-ChildItem –Path wsman:\localhost\service;

    • Remove-Item –Path HKLM:\Software\Microsoft\Windows\CurrentVersion\Wsman\Listener\*+HTTPS:certThumbprint

  • Restart PowerShell after Enable-WSManCredSSP -Role Client;

  • Incorrect permissions on $env:ProgramData\Microsoft\Crypto\RSA\MachineKeys prevents the WinRM service from reading the SSL certificate

  • Windows 2008: Missing Microsoft.PowerShell session configuration (use Enable-PSRemoting to resolve)

  • Use FQDN to connect to remote system with CredSSP or SSL

  • Certificate Revocation List (CRL) is outdated

    • Fix with: certutil.exe –CRL


Limitations
Limitations

  • Starting a remote session from within a remote session

  • Interactive command-line utilities don’t work well under remotingsessions

    • diskpart

    • nslookup

    • psexec

  • CredSSP is required to access network resources from a remote session


Built in variables
Built-in Variables

  • $PSSenderInfo – Use this automatic variable to explore the remote session configuration (authentication type, SSL, etc.)

  • $PSSessionOption – A preference variable that allows you to set the default remote session options



ad