Power Shell Remoting in the Enterprise What you
- Slides: 23
Power. Shell Remoting in the Enterprise What you need to know.
Speaker 9+ years experience in Microsoft-based IT Microsoft System Center 2012 R 2 Windows Power. Shell since 2007 Started writing VBscript in 2005 Worked in many enterprise environments with 10 -70 k+ systems
Why use remoting? Fan-out management of Windows Server systems Desired State Configuration (DSC) in Power. Shell v 4 Power. Shell Workflow Interactive remote management (similar to SSH) Quicker than RDP
How does remoting work? Client Server Power. Shell Session Power. Shell Windows Remote Management HTTP Windows TCP 5986 TCP 5985 HTTP Windows
Remoting Configuration Enable-PSRemoting -Force; Set-Wsman. Quick. Config -Use. SSL; Use Group Policy SSL requires a “Server Authentication” certificate Manual Configuration Process Configure certificate template Configure GPO for autoenrollment Enable-PSRemoting Set. WSMan. Quick. Config Enable. WSMan. Cred. SSP
Win. RM Service GPO Configuration Don’t leave listeners blank!
Windows Power. Shell GPO Settings Use either: • Remote Signed • Unrestricted powershell. exe –Execution. Policy Bypass –File c: pathtoscript. ps 1
Win. RM Client Configuration Authentication Basic Negotiate Kerberos Client certificate mapping Credential Security Support Provider (Cred. SSP) Trusted. Hosts Default. Ports Trusted. Hosts is useful in multiforest, multi-domain, or workgroup environments. Special alias “<local>” for hostnames without dots “. ”
Win. RM Client Configuration
Win. RM Shell Configuration Setting Purpose Max. Shells. Per. User Limits the number of remote shells per authenticated user Max. Concurrent. Users Limits the number of simultaneously connected users Max. Shell. Run. Time Limits the maximum time period that a session can exist Max. Memory. Per. Shell. MB The maximum memory that each remoting session can use Max. Processes. Per. Shell The maximum number of child processes that a single remote shell can have Idle. Timeout The idle timeout for a shell (think RDP) Set-Location –Path wsman: localhostshell; Get-Child. Item;
Windows Remote Shell GPO Configuration Windows Server 2012 Default Values Setting Value Idle Timeout 7200000 Max Concurrent Users 10 Max Shell Runtime 2147483647 Max Processes Per Shell 25 Max Memory Per Shell 1024 (MB) Max Shells Per User 30 Quota Management for Remote Shells http: //msdn. microsoft. com/en-us/library/windows/desktop/ee 309367(v=vs. 85). aspx
Power. Shell Remoting Cmdlets Enter-PSSession New-PSSession Remove-PSSession Connect-PSSession Invoke-Command New-PSSession. Configuration. File about_Session_Configuration_Files about_Session_Configurations
CIM Cmdlets Get-Cim. Associated. Instance Get-Cim. Class Get-Cim. Instance Get-Cim. Session Invoke-Cim. Method New-Cim. Instance New-Cim. Session. Option Register-Cim. Indication. Event Remove-Cim. Instance Remove-Cim. Session Set-Cim. Instance Replace the WMI cmdlets in Power. Shell v 2.
CIM Session Remoting Protocols DCOM/RPC Uses a dynamic port range Not “firewall friendly” Is not standards-based Win. RM Uses a common, single, static port Is standards-based
Session Configurations Restrict the commands that can be executed in a remote session Restrict who can access the session configuration Default session configurations can be removed or modified Use Enable-PSRemoting to restore original configurations (after deleting)
Credential Security Support Provider (Cred. SSP) Allows double-hop scenario Three types of credentials. Power. Shell uses one. Default credential Saved credential Fresh credential Server 01 Server 02 Client 01 Can be configured via GPO Cred. SSP Power. Shell Commands • Get-WSMan. Cred. SSP • Enable-WSMan. Cred. SSP • Disable-WSMan. Cred. SSP
Cred. SSP Group Policy Configuration
Troubleshooting Enable-PSWsman. Combined. Trace; Get-Win. Event –Oldest $PSHomeTracespstrace. etl Enable the Microsoft-Windows-Win. RM/Operational event log Read the error messages Use Nmap to test ports (http: //nmap. org) nmap. exe –p 5985, 5986 server. domain. com Use netstat –aon to ensure port is listening
Issues Missing Service Principal Name (SPN) causes Cred. SSP connections to fail Windows Firewall prevents communication (TCP 5985) Windows Remote Management (Win. RM) Listeners are empty in GPO configuration SSL Certificate is expired or has mismatched DNS name in Subject Name field Mismatching certificate thumbprints for Win. RM “Service” and “Listener” configurations Get-Child. Item -Path wsman: localhostListeners<HTTPSListener>; Get-Child. Item –Path wsman: localhostservice; Remove-Item –Path HKLM: SoftwareMicrosoftWindowsCurrent. VersionWsmanListener*+HTTPS: cert. Thumbprint Restart Power. Shell after Enable-WSMan. Cred. SSP -Role Client; Incorrect permissions on $env: Program. DataMicrosoftCryptoRSAMachine. Keys prevents the Win. RM service from reading the SSL certificate Windows 2008: Missing Microsoft. Power. Shell session configuration (use Enable-PSRemoting to resolve) Use FQDN to connect to remote system with Cred. SSP or SSL Certificate Revocation List (CRL) is outdated Fix with: certutil. exe –CRL
Limitations Starting a remote session from within a remote session Interactive command-line utilities don’t work well under remoting sessions diskpart nslookup psexec Cred. SSP is required to access network resources from a remote session
Built-in Variables $PSSender. Info – Use this automatic variable to explore the remote session configuration (authentication type, SSL, etc. ) $PSSession. Option – A preference variable that allows you to set the default remote session options
Trevor. Sullivan@projectleadership. net
- Shell cleanliness shell soundness shell texture shell shape
- Shell membrane of egg
- Active power reactive power apparent power
- Putting the enterprise into the enterprise system
- Enterprise
- Hình ảnh bộ gõ cơ thể búng tay
- Ng-html
- Bổ thể
- Tỉ lệ cơ thể trẻ em
- Gấu đi như thế nào
- Tư thế worms-breton
- Hát lên người ơi
- Môn thể thao bắt đầu bằng chữ đua
- Thế nào là hệ số cao nhất
- Các châu lục và đại dương trên thế giới
- Cong thức tính động năng
- Trời xanh đây là của chúng ta thể thơ
- Cách giải mật thư tọa độ
- Phép trừ bù
- Phản ứng thế ankan
- Các châu lục và đại dương trên thế giới
- Thơ thất ngôn tứ tuyệt đường luật
- Quá trình desamine hóa có thể tạo ra
- Một số thể thơ truyền thống