220 likes | 404 Views
PowerShell Remoting in the Enterprise. What you need to know. Speaker (Trevor Sullivan). Nearly 10 years of experience with Microsoft platform Microsoft System Center Windows PowerShell since 2007 Started writing VBscript in 2005. pcgeek86@gmail.com. tsullivan@projectleadership.net.
E N D
PowerShell Remoting in the Enterprise What you need to know.
Speaker (Trevor Sullivan) • Nearly 10 years of experience with Microsoft platform • Microsoft System Center • Windows PowerShell since 2007 • Started writing VBscript in 2005 pcgeek86@gmail.com tsullivan@projectleadership.net http://trevorsullivan.net http://projectleadership.net
Why use remoting? • Fan-out management of Windows Server systems • Desired State Configuration (DSC) in PowerShell v4 • PowerShell Workflow • Interactive remote management (similar to SSH) • Quicker than RDP
How does remoting work? Client Server PowerShell Session PowerShell PowerShell Windows Remote Management Windows Remote Management HTTP TCP 5986 TCP 5985 HTTP Windows Windows
Remoting Configuration SSL requires a “Server Authentication” certificate • Enable-PSRemoting -Force; • Set-WsmanQuickConfig -UseSSL; • Use Group Policy Manual Configuration Process
WinRM Service GPO Configuration Don’t leave listeners blank!
Windows PowerShell GPO Settings • Use either: • Remote Signed • Unrestricted powershell.exe –ExecutionPolicy Bypass –File c:\path\to\script.ps1
WinRM Shell Configuration Set-Location –Path wsman:\localhost\shell; Get-ChildItem;
Windows Remote Shell GPO Configuration Windows Server 2012 Default Values Quota Management for Remote Shells http://msdn.microsoft.com/en-us/library/windows/desktop/ee309367(v=vs.85).aspx
WinRM Client Configuration • Authentication • Basic • Negotiate • Kerberos • Client certificate mapping • Credential Security Support Provider (CredSSP) • TrustedHosts • DefaultPorts TrustedHosts is useful in multi-forest, multi-domain, or workgroup environments. Special alias “<local>” for hostnames without dots “.” contoso.com client01 fabrikam.com
PowerShell Remoting Cmdlets • Enter-PSSession • New-PSSession • Remove-PSSession • Connect-PSSession • Invoke-Command • New-PSSessionConfigurationFile • about_Session_Configuration_Files • about_Session_Configurations
CIM Cmdlets Replace the WMI cmdlets in PowerShell v2. • Get-CimAssociatedInstance • Get-CimClass • Get-CimInstance • Get-CimSession • Invoke-CimMethod • New-CimInstance • New-CimSession • New-CimSessionOption • Register-CimIndicationEvent • Remove-CimInstance • Remove-CimSession • Set-CimInstance
Session Configurations • Restrict the commands that can be executed in a remote session • Restrict who can access the session configuration • Default session configurations can be removed or modified • Use Enable-PSRemoting to restore original configurations (after deleting)
Credential Security Support Provider (CredSSP) Server01 Server02 • Allows double-hop scenario • Three types of credentials.PowerShell uses one. • Default credential • Saved credential • Fresh credential • Can be configured via GPO Client01 • CredSSP PowerShell Commands • Get-WSManCredSSP • Enable-WSManCredSSP • Disable-WSManCredSSP
Troubleshooting • Read the error messages! • Enable-PSWsmanCombinedTrace; • Get-WinEvent –Oldest –Path $PSHome\Traces\pstrace.etl; • Enable the Microsoft-Windows-WinRM/Operational event log • Use Nmap to test ports (http://nmap.org) • nmap.exe –p5985,5986 server.domain.com • Use netstat –aon to ensure port is listening
Issues • Missing Service Principal Name (SPN) causes CredSSP connections to fail • Windows Firewall prevents communication (TCP 5985) • Windows Remote Management (WinRM) Listeners are empty in GPO configuration • SSL Certificate is expired or has mismatched DNS name in Subject Name field • Mismatching certificate thumbprints for WinRM“Service” and “Listener” configurations • Get-ChildItem -Path wsman:\localhost\Listeners\<HTTPSListener>; • Get-ChildItem –Path wsman:\localhost\service; • Remove-Item –Path HKLM:\Software\Microsoft\Windows\CurrentVersion\Wsman\Listener\*+HTTPS:certThumbprint • Restart PowerShell after Enable-WSManCredSSP -Role Client; • Incorrect permissions on $env:ProgramData\Microsoft\Crypto\RSA\MachineKeys prevents the WinRM service (NETWORK SERVICE account) from reading the SSL certificate • Windows 2008: Missing Microsoft.PowerShell session configuration (use Enable-PSRemoting to resolve) • Use FQDN to connect to remote system with CredSSP or SSL • Certificate Revocation List (CRL) is outdated • Fix with: certutil.exe –CRL
Limitations • Starting a remote session from within a remote session • Interactive command-line utilities don’t work well under remotingsessions • diskpart • nslookup • psexec • CredSSP is required to access network resources from a remote session • Also known as “double hop” authentication
Contact Information @pcgeek86 pcgeek86@gmail.com http://trevorsullivan.net http://projectleadership.net