Power Shell Remoting in the Enterprise What you

  • Slides: 23
Download presentation
Power. Shell Remoting in the Enterprise What you need to know.

Power. Shell Remoting in the Enterprise What you need to know.

Speaker 9+ years experience in Microsoft-based IT Microsoft System Center 2012 R 2 Windows

Speaker 9+ years experience in Microsoft-based IT Microsoft System Center 2012 R 2 Windows Power. Shell since 2007 Started writing VBscript in 2005 Worked in many enterprise environments with 10 -70 k+ systems

Why use remoting? Fan-out management of Windows Server systems Desired State Configuration (DSC) in

Why use remoting? Fan-out management of Windows Server systems Desired State Configuration (DSC) in Power. Shell v 4 Power. Shell Workflow Interactive remote management (similar to SSH) Quicker than RDP

How does remoting work? Client Server Power. Shell Session Power. Shell Windows Remote Management

How does remoting work? Client Server Power. Shell Session Power. Shell Windows Remote Management HTTP Windows TCP 5986 TCP 5985 HTTP Windows

Remoting Configuration Enable-PSRemoting -Force; Set-Wsman. Quick. Config -Use. SSL; Use Group Policy SSL requires

Remoting Configuration Enable-PSRemoting -Force; Set-Wsman. Quick. Config -Use. SSL; Use Group Policy SSL requires a “Server Authentication” certificate Manual Configuration Process Configure certificate template Configure GPO for autoenrollment Enable-PSRemoting Set. WSMan. Quick. Config Enable. WSMan. Cred. SSP

Win. RM Service GPO Configuration Don’t leave listeners blank!

Win. RM Service GPO Configuration Don’t leave listeners blank!

Windows Power. Shell GPO Settings Use either: • Remote Signed • Unrestricted powershell. exe

Windows Power. Shell GPO Settings Use either: • Remote Signed • Unrestricted powershell. exe –Execution. Policy Bypass –File c: pathtoscript. ps 1

Win. RM Client Configuration Authentication Basic Negotiate Kerberos Client certificate mapping Credential Security Support

Win. RM Client Configuration Authentication Basic Negotiate Kerberos Client certificate mapping Credential Security Support Provider (Cred. SSP) Trusted. Hosts Default. Ports Trusted. Hosts is useful in multiforest, multi-domain, or workgroup environments. Special alias “<local>” for hostnames without dots “. ”

Win. RM Client Configuration

Win. RM Client Configuration

Win. RM Shell Configuration Setting Purpose Max. Shells. Per. User Limits the number of

Win. RM Shell Configuration Setting Purpose Max. Shells. Per. User Limits the number of remote shells per authenticated user Max. Concurrent. Users Limits the number of simultaneously connected users Max. Shell. Run. Time Limits the maximum time period that a session can exist Max. Memory. Per. Shell. MB The maximum memory that each remoting session can use Max. Processes. Per. Shell The maximum number of child processes that a single remote shell can have Idle. Timeout The idle timeout for a shell (think RDP) Set-Location –Path wsman: localhostshell; Get-Child. Item;

Windows Remote Shell GPO Configuration Windows Server 2012 Default Values Setting Value Idle Timeout

Windows Remote Shell GPO Configuration Windows Server 2012 Default Values Setting Value Idle Timeout 7200000 Max Concurrent Users 10 Max Shell Runtime 2147483647 Max Processes Per Shell 25 Max Memory Per Shell 1024 (MB) Max Shells Per User 30 Quota Management for Remote Shells http: //msdn. microsoft. com/en-us/library/windows/desktop/ee 309367(v=vs. 85). aspx

Power. Shell Remoting Cmdlets Enter-PSSession New-PSSession Remove-PSSession Connect-PSSession Invoke-Command New-PSSession. Configuration. File about_Session_Configuration_Files about_Session_Configurations

Power. Shell Remoting Cmdlets Enter-PSSession New-PSSession Remove-PSSession Connect-PSSession Invoke-Command New-PSSession. Configuration. File about_Session_Configuration_Files about_Session_Configurations

CIM Cmdlets Get-Cim. Associated. Instance Get-Cim. Class Get-Cim. Instance Get-Cim. Session Invoke-Cim. Method New-Cim.

CIM Cmdlets Get-Cim. Associated. Instance Get-Cim. Class Get-Cim. Instance Get-Cim. Session Invoke-Cim. Method New-Cim. Instance New-Cim. Session. Option Register-Cim. Indication. Event Remove-Cim. Instance Remove-Cim. Session Set-Cim. Instance Replace the WMI cmdlets in Power. Shell v 2.

CIM Session Remoting Protocols DCOM/RPC Uses a dynamic port range Not “firewall friendly” Is

CIM Session Remoting Protocols DCOM/RPC Uses a dynamic port range Not “firewall friendly” Is not standards-based Win. RM Uses a common, single, static port Is standards-based

Session Configurations Restrict the commands that can be executed in a remote session Restrict

Session Configurations Restrict the commands that can be executed in a remote session Restrict who can access the session configuration Default session configurations can be removed or modified Use Enable-PSRemoting to restore original configurations (after deleting)

Credential Security Support Provider (Cred. SSP) Allows double-hop scenario Three types of credentials. Power.

Credential Security Support Provider (Cred. SSP) Allows double-hop scenario Three types of credentials. Power. Shell uses one. Default credential Saved credential Fresh credential Server 01 Server 02 Client 01 Can be configured via GPO Cred. SSP Power. Shell Commands • Get-WSMan. Cred. SSP • Enable-WSMan. Cred. SSP • Disable-WSMan. Cred. SSP

Cred. SSP Group Policy Configuration

Cred. SSP Group Policy Configuration

Troubleshooting Enable-PSWsman. Combined. Trace; Get-Win. Event –Oldest $PSHomeTracespstrace. etl Enable the Microsoft-Windows-Win. RM/Operational event

Troubleshooting Enable-PSWsman. Combined. Trace; Get-Win. Event –Oldest $PSHomeTracespstrace. etl Enable the Microsoft-Windows-Win. RM/Operational event log Read the error messages Use Nmap to test ports (http: //nmap. org) nmap. exe –p 5985, 5986 server. domain. com Use netstat –aon to ensure port is listening

Issues Missing Service Principal Name (SPN) causes Cred. SSP connections to fail Windows Firewall

Issues Missing Service Principal Name (SPN) causes Cred. SSP connections to fail Windows Firewall prevents communication (TCP 5985) Windows Remote Management (Win. RM) Listeners are empty in GPO configuration SSL Certificate is expired or has mismatched DNS name in Subject Name field Mismatching certificate thumbprints for Win. RM “Service” and “Listener” configurations Get-Child. Item -Path wsman: localhostListeners<HTTPSListener>; Get-Child. Item –Path wsman: localhostservice; Remove-Item –Path HKLM: SoftwareMicrosoftWindowsCurrent. VersionWsmanListener*+HTTPS: cert. Thumbprint Restart Power. Shell after Enable-WSMan. Cred. SSP -Role Client; Incorrect permissions on $env: Program. DataMicrosoftCryptoRSAMachine. Keys prevents the Win. RM service from reading the SSL certificate Windows 2008: Missing Microsoft. Power. Shell session configuration (use Enable-PSRemoting to resolve) Use FQDN to connect to remote system with Cred. SSP or SSL Certificate Revocation List (CRL) is outdated Fix with: certutil. exe –CRL

Limitations Starting a remote session from within a remote session Interactive command-line utilities don’t

Limitations Starting a remote session from within a remote session Interactive command-line utilities don’t work well under remoting sessions diskpart nslookup psexec Cred. SSP is required to access network resources from a remote session

Built-in Variables $PSSender. Info – Use this automatic variable to explore the remote session

Built-in Variables $PSSender. Info – Use this automatic variable to explore the remote session configuration (authentication type, SSL, etc. ) $PSSession. Option – A preference variable that allows you to set the default remote session options

Trevor. Sullivan@projectleadership. net

Trevor. Sullivan@projectleadership. net